RE: DOS Attack?
From: David Gillett (gillettdavid_at_fhda.edu)
Date: 11/29/04
- Previous message: Arie Kamstra: "RE: Spyware Adware URL lists"
- Maybe in reply to: Shawn Wall: "DOS Attack?"
- Next in thread: Andrew Shore: "RE: DOS Attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Shawn Wall'" <sjwall@shaw.ca> Date: Mon, 29 Nov 2004 10:48:11 -0800
It's awkward. For efficiency, you'd like "established" to be
as close to the top of the list as possible. To block this kind
of traffic, you need to block it ahead of the "established".
The only/correct solution is to use a "real" stateful firewall,
instead of just a packet filter.
David Gillett
> -----Original Message-----
> From: Shawn Wall [mailto:sjwall@shaw.ca]
> Sent: Monday, November 29, 2004 10:05 AM
> To: gillettdavid@fhda.edu
> Subject: RE: DOS Attack?
>
>
> Hi David. Thanks for your reply. I wanted to follow up with
> on point number
> 1. In fact, this is exactly the type of traffic I see during
> the outage. Do
> you know of a way to defeat this? Thanks.
>
> shawn
>
> -----Original Message-----
> From: David Gillett [mailto:gillettdavid@fhda.edu]
> Sent: Monday, November 29, 2004 10:28 AM
> To: 'Shawn Wall'; security-basics@securityfocus.com
> Subject: RE: DOS Attack?
>
> 1. If you have "established" in your ACL, it will allow in
> any TCP packet
> that doesn't just have the SYN flag set. I've seen nasty
> traffic send only
> RST packets to get the traffic past an ACL...
>
> 2. DoS attacks often rely on resource starvation, and the
> easiest resource
> to consume is bandwidth. If I were to send you more traffic
> than your pipe
> could carry, packets would have to be lost -- even if you
> were dropping all
> of my traffic when it reached your ACL. And if packets are
> being dropped at
> the upstream end of your pipe, there can be good odds that legitimate
> connections originating from your network never receive their
> answers....
>
> David Gillett
>
>
> > -----Original Message-----
> > From: Shawn Wall [mailto:sjwall@shaw.ca]
> > Sent: Wednesday, November 24, 2004 6:23 PM
> > To: security-basics@securityfocus.com
> > Subject: DOS Attack?
> >
> >
> > Hi List,
> >
> > I'm currently experiencing network outages due to what
> appears to be
> > DOS attacks. I'm running a wireless ISP using a Cisco 2611 and CBAC
> > and I have a
> > /24 public address range. During the outage I can see
> traffic from a
> > single external host sending thousands of packets to a
> single internal
> > host. I don't have port 80 inbound open in my ACLs so I don't
> > understand how the external host is even able to contact
> the internal
> > host to begin with.
> > Secondly, how is it possible for an attack on 1 internal host to
> > cripple the rest of my network? Any feedback would be
> welcome. Thanks.
> >
> > shawn
> >
> >
>
- Previous message: Arie Kamstra: "RE: Spyware Adware URL lists"
- Maybe in reply to: Shawn Wall: "DOS Attack?"
- Next in thread: Andrew Shore: "RE: DOS Attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
