Re: ICMP/SYN Flood

From: Muhammad Naseer Bhatti (mail-lists_at_digitallinx.com)
Date: 05/22/03

  • Next message: Sebastian Jaenicke: "Re: DDoS Attack" 
    To: "Tom Vande Stouwe" <tomv@conpro.net>, <incidents@securityfocus.com>
Date: Fri, 23 May 2003 00:21:45 +0500

    Yes, I can always null route the IP at the router and let the traffic block
    there. But the question is that how can I prevent to make it not happen
    agian in the future. When ever I update the DNS, DDoS can be started at the
    new IP again. There should be some kind of protection that can be done at
    the router so that it won't let pass the traffic.

    -Naseer

    ----- Original Message -----
    From: "Tom Vande Stouwe" <tomv@conpro.net>
    To: "'Muhammad Naseer Bhatti'" <mail-lists@digitallinx.com>
    Sent: Friday, May 23, 2003 12:19 AM
    Subject: RE: ICMP/SYN Flood

    > If the attack is against a particular IP, why not readdress that server
    > and update the DNS. It might catch them off guard and the flood can be
    > stopped by the IP at the router
    >
    > Tom
    >
    > -----Original Message-----
    > From: Muhammad Naseer Bhatti [mailto:mail-lists@digitallinx.com]
    > Sent: Wednesday, May 21, 2003 10:47 PM
    > To: incidents@securityfocus.com
    > Subject: ICMP/SYN Flood
    >
    > Hi list ..
    >
    > I am experiencing a bad DDoS attack toward one of my server. The attack
    > is
    > pointed to only 1 IP on which a governmental site is hosted. Seems some
    > folks don't like the site to stay up. As far as the Server (Linux)
    > security
    > is concerned, I am able to make that up serving all requests without any
    > hesitation. My network with which I am connected to is poorly configured
    > and
    > allowing the DDoS attack to pass thru their routers. I am getting two
    > kind
    > of attacks here:
    >
    > - ICMP Flood
    > Simple ICMP flood from various spoofed hosts. This I know can be
    > blocked on the router for the particular IP. Unfortunately the network
    > guys
    > are still not able to do that.
    >
    > - SYN Flood
    > Interesting thing. Loots of SYN requests from these kind of
    > network/broadcasts towards port 80 only.
    >
    > 37.72.0.0
    > 128.89.0.0
    > 173.66.0.0
    > 37.155.0.0
    > 177.225.0.0
    > 37.94.0.0
    > 36.162.0.0
    > 117.77.0.0
    > 151.162.0.0
    > 36.216.0.0
    > 134.248.0.0
    > 175.129.0.0
    >
    > And the list goes oon .. The question I want to ask here, is the
    > network/router poorly configured at my NOC which is allowing
    > broadcasts/networks to pass through it? If so, how can I assist them to
    > fix
    > it? I am not a Cisco guru, so might need someone to give me some hints
    > so
    > that I can pass that to the poor NOC techs.
    >
    > Any help would be appreciated.
    >
    >
    > Thanks,
    >
    > Muhammad Naseer
    >

    ----------------------------------------------------------------------------
    *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    Just like wired networks, wireless LANs require network security policies
    that are enforced to protect WLANs from known vulnerabilities and threats.
    Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

    To get your FREE white paper visit us at:
    http://www.securityfocus.com/AirDefense-incidents
    ----------------------------------------------------------------------------

  • Next message: Sebastian Jaenicke: "Re: DDoS Attack"

    Relevant Pages

    • ~~~~~~~~~~~~~~ IP ADDRESS ~~~~~~~~~~~~~~
      ... block my ip address vista windows ... change public ip address linksys router ... setting up a network ip address ... warcraft server ip address ...
      (sci.misc)
    • Re: Using Remote Desktop From an SBS Domain
      ... After I thought about needing 3389 forwarded on my router to allow me to ... Remote Desktop "out" from a workstation on my SBS network to a host XP ... Hopefully next week I can attempt a connection while my ISP watches the ...
      (microsoft.public.windows.server.sbs)
    • Re: Linksys NAS200 Network Storage adapter
      ... The only two wireless network settings that are of any consequence are the SSID and the encryption method and password. ... either click the "Print Network Settings" button on the final screen of the Wizard or simply access the appropriate XML file and get at them that way and then use the information to configure the router manually as I explained earlier. ... I've read thru some of the MS web site on that product and it appears to do everything a NAS will do plus other cool features, such as, with an xbox360 with the wireless adapter, I can stream my video/pics to my TV for family viewing. ...
      (microsoft.public.windowsxp.network_web)
    • Re: ICMP/SYN Flood
      ... Looks like your ISP has an open router. ... > I am experiencing a bad DDoS attack toward one of my server. ... Unfortunately the network guys ... implement and enforce WLAN security policies to lockdown enterprise WLANs. ...
      (Incidents)
    • Re: OSPF routes not in routing table
      ... Here's the output of "sh ip ospf database router", ... "(Link Data) Router Interface address: ... Link connected to: a Stub Network ... Number of TOS metrics: 0 ...
      (comp.dcom.sys.cisco)