Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DoS against ISP: what is "normal?"

From: Jay DeSotel <jay () interl net>
Date: Fri, 18 Oct 2002 10:58:50 -0500 (CDT)
On 18 Oct 2002, Robert Inder wrote:

I've tried searching for information on what would be a "typical"
level of disruption for a small-to-medium ISP, but couldn't find
anything.


Not sure if there is such a thing. Its getting to be more and more
diffucult to keep up with security issues anymore, they seem to be coming
out 3 and 4 at a time. I'm the head Admin for a meduim ISP and consult for
2 smaller ISP's. In the last 2 years, the 3 companies combined have had
less than 8 hours of downtime due to a DoS attack or similiar event.
I can tell you that it is a full-time job to keep everything patched and
upgraded to fix security issues, even more so in a large network.


Is a major DoS attack every few months par for the course these days?
Or a sign that someone has really got it in for these guys?


I might lean more towards someone having it in for them. Most of the time
DoS attacks have some sort of "grudge" attached to them IMHO. Whether it
be trying to give competition bad PR or a former employee, etc.


Is it reasonable for them to take "a few hours" to bring such an
incident under control, or does this suggest there is something wrong?


Depends on the nature of the attack honestly. If they were able to put
filters in place to prevent this, why would that have taken hours, and not
minutes? Again, please keep in mind that it just depends on the attack
method used. Sometimes it just takes time to get a handle on the entire
situation and come up with a solution, not just to fix it now, but to
prevent it in the future. This may well be the case with the above
mentioned ISP.

Also remember that it is just as important to fix it as it is to try and
gather information about the attacker. Most of the time, once the attack
is blocked, it will stop, thus no more evidence to collect. Maybe they
let it slide for awhile so they could try to trace it back to the culprit.

--
Jay DeSotel
Systems Administrator
InterLink L.C.
<jay () interl net>
Voice-(319)524-2895
Fax-(319)524-3175
Previous By Date Next
Previous By Thread Next

Current thread: