Re: How to repel DoS attack?
From: Steven Aiello (sma92878@hotmail.com)
Date: 03/19/03
- Next message: mwelsh: "How to stop web downloading"
- Previous message: x y, mvp: "Re: Windows 2000 User List"
- In reply to: Gerg Monasco: "How to repel DoS attack?"
- Next in thread: DDos CA: "Re: How to repel DoS attack?"
- Reply: DDos CA: "Re: How to repel DoS attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Mar 2003 09:51:46 -0500 From: Steven Aiello <sma92878@hotmail.com>
Greg,
Stopping Dos attacks can be complex but not impossible, DDos add a new
level of complexity. The first thing you should do is create time maps
of when your being attacked, second is to let a piece of logging
software track your incoming IP addresses that are flooding you. Try to
tell if these addresses are being spoofed or if they are valid IP
addresses. You could be lucky and have a no nothing script kitty
sitting on his PC with a tool. However if the IP addresses are bring
spoofed than look to see if the are typically non ratable addresses.
Typically 10.x.x.x or 192.168.x.x. If you see this patter you should
smack your Cisco admin upside his head. Your router is the best first
line of defense you can have for Dos and other attacks. Correctly
configured router ACLS (access control lists) can save you alot of
stress. Also consider what type of firewall you are using? I
personally run a version of watchguard at our site and you can set the
open SYN thresh hold to a low number, also you can increase the amount
of open SYN connections on your server. This should not impact valid
users or your server because of the following. First a good firewall
will complete the SYN session for you before transferring the service
you your web server. This is a HUGE HUGE help. Also boosting open SNY
port from lets say 10 to 20 should hit the server for CPU time. These
three things alone can help you greatly.
ACL
Firewall
SYN Settings on the server
However, you may also want to configure dynamic filtering on your
firewall. If you see a pattern of spoofed IP address lets say in the
case of a DDos attack where the offender may have 100 or so zombies, you
can set a firewall to identify computers who are flooding traffic or SYN
requests and block these specific IP address for a certain amount of time.
I hope all of this helps. Dos and DDos are a pain, this is way network
security is so difficult, you really need to know and understand all
areas of your network to make an effective defense.
Best luck,
Steven M Aiello
- Next message: mwelsh: "How to stop web downloading"
- Previous message: x y, mvp: "Re: Windows 2000 User List"
- In reply to: Gerg Monasco: "How to repel DoS attack?"
- Next in thread: DDos CA: "Re: How to repel DoS attack?"
- Reply: DDos CA: "Re: How to repel DoS attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
