Security Basics mailing list archives
Re: DoS against ISP: what is "normal?"
From: Jay DeSotel <jay () interl net>
Date: Fri, 18 Oct 2002 10:58:50 -0500 (CDT)
On 18 Oct 2002, Robert Inder wrote:
I've tried searching for information on what would be a "typical" level of disruption for a small-to-medium ISP, but couldn't find anything.
Not sure if there is such a thing. Its getting to be more and more diffucult to keep up with security issues anymore, they seem to be coming out 3 and 4 at a time. I'm the head Admin for a meduim ISP and consult for 2 smaller ISP's. In the last 2 years, the 3 companies combined have had less than 8 hours of downtime due to a DoS attack or similiar event. I can tell you that it is a full-time job to keep everything patched and upgraded to fix security issues, even more so in a large network.
Is a major DoS attack every few months par for the course these days? Or a sign that someone has really got it in for these guys?
I might lean more towards someone having it in for them. Most of the time DoS attacks have some sort of "grudge" attached to them IMHO. Whether it be trying to give competition bad PR or a former employee, etc.
Is it reasonable for them to take "a few hours" to bring such an incident under control, or does this suggest there is something wrong?
Depends on the nature of the attack honestly. If they were able to put filters in place to prevent this, why would that have taken hours, and not minutes? Again, please keep in mind that it just depends on the attack method used. Sometimes it just takes time to get a handle on the entire situation and come up with a solution, not just to fix it now, but to prevent it in the future. This may well be the case with the above mentioned ISP. Also remember that it is just as important to fix it as it is to try and gather information about the attacker. Most of the time, once the attack is blocked, it will stop, thus no more evidence to collect. Maybe they let it slide for awhile so they could try to trace it back to the culprit. -- Jay DeSotel Systems Administrator InterLink L.C. <jay () interl net> Voice-(319)524-2895 Fax-(319)524-3175
Current thread:
- DoS against ISP: what is "normal?" Robert Inder (Oct 18)
- Re: DoS against ISP: what is "normal?" Jay DeSotel (Oct 18)