Re: DOS Attack?

[Mario Pascucci <ilpettegolo () yahoo it>]

Il gio, 2004-11-25 alle 03:22, Shawn Wall ha scritto:
> Hi List,
>
> I'm currently experiencing network outages due to what appears to be DOS
> attacks. I'm running a wireless ISP using a Cisco 2611 and CBAC and I have a
> /24 public address range. During the outage I can see traffic from a single
> external host sending thousands of packets to a single internal host. I
> don't have port 80 inbound open in my ACLs so I don't understand how the
> external host is even able to contact the internal host to begin with.
> Secondly, how is it possible for an attack on 1 internal host to cripple the
> rest of my network? Any feedback would be welcome. Thanks.

Hi,
consider that most worms (like Gaobot or SDbot or almost all *bot worms)
uses connection from infected PC to attacker owned IRC server, to give
control even if the PC is behind a firewall. Through this connection,
the attacker can send "updates" to the viral code, or get data from the
infected PC.
If you can, check the kind of traffic and the TCP ports at the ends of
the connection. Try to use a sniffer, if you can, to detect the type of
connection and the direction of the traffic.
HTH
-- 
Mario "Reliant" Pascucci
http://ilpettegolo.altervista.org/