ICMP/SYN Flood

From: Muhammad Naseer Bhatti (mail-lists_at_digitallinx.com)
Date: 05/22/03

  • Next message: Steven Shepherd: "DDoS Attack"
    To: <incidents@securityfocus.com>
    Date: Thu, 22 May 2003 07:47:21 +0500
    
    
    

    Hi list ..

    I am experiencing a bad DDoS attack toward one of my server. The attack is
    pointed to only 1 IP on which a governmental site is hosted. Seems some
    folks don't like the site to stay up. As far as the Server (Linux) security
    is concerned, I am able to make that up serving all requests without any
    hesitation. My network with which I am connected to is poorly configured and
    allowing the DDoS attack to pass thru their routers. I am getting two kind
    of attacks here:

    - ICMP Flood
            Simple ICMP flood from various spoofed hosts. This I know can be
    blocked on the router for the particular IP. Unfortunately the network guys
    are still not able to do that.

    - SYN Flood
            Interesting thing. Loots of SYN requests from these kind of
    network/broadcasts towards port 80 only.

    37.72.0.0
    128.89.0.0
    173.66.0.0
    37.155.0.0
    177.225.0.0
    37.94.0.0
    36.162.0.0
    117.77.0.0
    151.162.0.0
    36.216.0.0
    134.248.0.0
    175.129.0.0

    And the list goes oon .. The question I want to ask here, is the
    network/router poorly configured at my NOC which is allowing
    broadcasts/networks to pass through it? If so, how can I assist them to fix
    it? I am not a Cisco guru, so might need someone to give me some hints so
    that I can pass that to the poor NOC techs.

    Any help would be appreciated.

    Thanks,

    Muhammad Naseer

    
    
    

    ----------------------------------------------------------------------------
    *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    Just like wired networks, wireless LANs require network security policies
    that are enforced to protect WLANs from known vulnerabilities and threats.
    Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

    To get your FREE white paper visit us at:
    http://www.securityfocus.com/AirDefense-incidents
    ----------------------------------------------------------------------------


  • Next message: Steven Shepherd: "DDoS Attack"

    Relevant Pages

    • RE: ICMP/SYN Flood
      ... Subject: ICMP/SYN Flood ... I am experiencing a bad DDoS attack toward one of my server. ... As far as the Server security ... Unfortunately the network guys ...
      (Incidents)
    • Re: ICMP/SYN Flood
      ... Looks like your ISP has an open router. ... > I am experiencing a bad DDoS attack toward one of my server. ... Unfortunately the network guys ... implement and enforce WLAN security policies to lockdown enterprise WLANs. ...
      (Incidents)
    • Re: Flash Worms
      ... Subject: Flash Worms ... Those computer running a DDOS attack against anything ... The DDoSability of a network is a big function of it's design. ...
      (Incidents)
    • Re: DDoS attack.
      ... > to the source host, or a core router through which it came. ... Its coming from my network ... >> It got all the signs of a dDoS attack window size is always the same dst ...
      (Incidents)
    • Re: Ping Wakefield Joe
      ... It was Box 16 that was suffering a DDOS attack so how come Box 4 was also ... Box16 DDOS attack FIXED. ... Have you signed up for email notifications of server status? ...
      (uk.people.silversurfers)