RE: ICMP/SYN Flood
From: Whiteside, Larry [contractor] (BAE14_at_SPHQ.SSP.NAVY.MIL)
Date: 05/22/03
- Previous message: lists_at_khimich.com: "Re: DDoS Attack"
- Maybe in reply to: Muhammad Naseer Bhatti: "ICMP/SYN Flood"
- Next in thread: Sebastian Jaenicke: "Re: ICMP/SYN Flood"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 May 2003 15:36:11 -0400 To: "Muhammad Naseer Bhatti" <mail-lists@digitallinx.com>
Everything you are seeing should be blocked at the router. The fact that they aren't tell me a lot more is not either. Scary! Anyway, go to NSA's website and have them download their router config guide. It is what I use and is GREAT. It will give them all the things needed to lock down their router. It is very simple to follow along and they give you a lot of commands. If they cannot use this then God help you all!
http://www.nsa.gov/snac/cisco/download.htm
L
***************************
Larry Whiteside Jr.
Sr. Security Engineer
-----Original Message-----
From: Muhammad Naseer Bhatti [mailto:mail-lists@digitallinx.com]
Sent: Wednesday, May 21, 2003 10:47 PM
To: incidents@securityfocus.com
Subject: ICMP/SYN Flood
Hi list ..
I am experiencing a bad DDoS attack toward one of my server. The attack is
pointed to only 1 IP on which a governmental site is hosted. Seems some
folks don't like the site to stay up. As far as the Server (Linux) security
is concerned, I am able to make that up serving all requests without any
hesitation. My network with which I am connected to is poorly configured and
allowing the DDoS attack to pass thru their routers. I am getting two kind
of attacks here:
- ICMP Flood
Simple ICMP flood from various spoofed hosts. This I know can be
blocked on the router for the particular IP. Unfortunately the network guys
are still not able to do that.
- SYN Flood
Interesting thing. Loots of SYN requests from these kind of
network/broadcasts towards port 80 only.
37.72.0.0
128.89.0.0
173.66.0.0
37.155.0.0
177.225.0.0
37.94.0.0
36.162.0.0
117.77.0.0
151.162.0.0
36.216.0.0
134.248.0.0
175.129.0.0
And the list goes oon .. The question I want to ask here, is the
network/router poorly configured at my NOC which is allowing
broadcasts/networks to pass through it? If so, how can I assist them to fix
it? I am not a Cisco guru, so might need someone to give me some hints so
that I can pass that to the poor NOC techs.
Any help would be appreciated.
Thanks,
Muhammad Naseer
----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
- Previous message: lists_at_khimich.com: "Re: DDoS Attack"
- Maybe in reply to: Muhammad Naseer Bhatti: "ICMP/SYN Flood"
- Next in thread: Sebastian Jaenicke: "Re: ICMP/SYN Flood"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
