Re: ICMP/SYN Flood
From: CTA (dnsadmin_at_INTRAMEDX.COM)
Date: 05/22/03
- Previous message: Kevin Reardon: "Re: A question for the list..."
- In reply to: Muhammad Naseer Bhatti: "ICMP/SYN Flood"
- Next in thread: Dr J: "Re: ICMP/SYN Flood"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Muhammad Naseer Bhatti" <mail-lists@digitallinx.com>, <incidents@securityfocus.com> Date: Thu, 22 May 2003 15:31:55 -0400
Looks like your ISP has an open router. If its a CISCO be sure
that they have the basics set:
no ip directed-broadcast
no ip source-route
no cdp running
no cdp enable
no service tcp-small-servers
no service udp-small-servers
no service finger
no ip bootp server
no ip http server
Also, they should have basic Anti-Spoofing Access List Filter
set to drop and log, and Ingress Filters to stop untrusted
internal hosts.
On 22 May 2003, at 7:47, Muhammad Naseer Bhatti wrote:
> Hi list ..
>
> I am experiencing a bad DDoS attack toward one of my server. The attack is
> pointed to only 1 IP on which a governmental site is hosted. Seems some
> folks don't like the site to stay up. As far as the Server (Linux) security
> is concerned, I am able to make that up serving all requests without any
> hesitation. My network with which I am connected to is poorly configured and
> allowing the DDoS attack to pass thru their routers. I am getting two kind
> of attacks here:
>
> - ICMP Flood
> Simple ICMP flood from various spoofed hosts. This I know can be
> blocked on the router for the particular IP. Unfortunately the network guys
> are still not able to do that.
>
> - SYN Flood
> Interesting thing. Loots of SYN requests from these kind of
> network/broadcasts towards port 80 only.
>
> 37.72.0.0
> 128.89.0.0
> 173.66.0.0
> 37.155.0.0
> 177.225.0.0
> 37.94.0.0
> 36.162.0.0
> 117.77.0.0
> 151.162.0.0
> 36.216.0.0
> 134.248.0.0
> 175.129.0.0
>
> And the list goes oon .. The question I want to ask here, is the
> network/router poorly configured at my NOC which is allowing
> broadcasts/networks to pass through it? If so, how can I assist them to fix
> it? I am not a Cisco guru, so might need someone to give me some hints so
> that I can pass that to the poor NOC techs.
>
> Any help would be appreciated.
>
>
> Thanks,
>
> Muhammad Naseer
>
-
-
****************************************************
Bernie
Chief Technology Architect
Chief Security Officer
cta@hcsin.net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go
// to avoid the pure labor of honest thinking."
// Honest thought, the real business capital.
// Observe> Think> Plan> Think> Do> Think>
*******************************************************
----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
- Previous message: Kevin Reardon: "Re: A question for the list..."
- In reply to: Muhammad Naseer Bhatti: "ICMP/SYN Flood"
- Next in thread: Dr J: "Re: ICMP/SYN Flood"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
