Security Basics mailing list archives
RE: DOS Attack?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 29 Nov 2004 10:48:11 -0800
It's awkward. For efficiency, you'd like "established" to be as close to the top of the list as possible. To block this kind of traffic, you need to block it ahead of the "established". The only/correct solution is to use a "real" stateful firewall, instead of just a packet filter. David Gillett
-----Original Message----- From: Shawn Wall [mailto:sjwall () shaw ca] Sent: Monday, November 29, 2004 10:05 AM To: gillettdavid () fhda edu Subject: RE: DOS Attack? Hi David. Thanks for your reply. I wanted to follow up with on point number 1. In fact, this is exactly the type of traffic I see during the outage. Do you know of a way to defeat this? Thanks. shawn -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Monday, November 29, 2004 10:28 AM To: 'Shawn Wall'; security-basics () securityfocus com Subject: RE: DOS Attack? 1. If you have "established" in your ACL, it will allow in any TCP packet that doesn't just have the SYN flag set. I've seen nasty traffic send only RST packets to get the traffic past an ACL... 2. DoS attacks often rely on resource starvation, and the easiest resource to consume is bandwidth. If I were to send you more traffic than your pipe could carry, packets would have to be lost -- even if you were dropping all of my traffic when it reached your ACL. And if packets are being dropped at the upstream end of your pipe, there can be good odds that legitimate connections originating from your network never receive their answers.... David Gillett-----Original Message----- From: Shawn Wall [mailto:sjwall () shaw ca] Sent: Wednesday, November 24, 2004 6:23 PM To: security-basics () securityfocus com Subject: DOS Attack? Hi List, I'm currently experiencing network outages due to whatappears to beDOS attacks. I'm running a wireless ISP using a Cisco 2611 and CBAC and I have a /24 public address range. During the outage I can seetraffic from asingle external host sending thousands of packets to asingle internalhost. I don't have port 80 inbound open in my ACLs so I don't understand how the external host is even able to contactthe internalhost to begin with. Secondly, how is it possible for an attack on 1 internal host to cripple the rest of my network? Any feedback would bewelcome. Thanks.shawn
Current thread:
- DOS Attack? Shawn Wall (Nov 26)
- Re: DOS Attack? Suramya Tomar (Nov 26)
- Re: DOS Attack? Mario Pascucci (Nov 27)
- Re: DOS Attack? Juan Carlos Jimenez Jamett (Nov 27)
- Re: DOS Attack? Anthony Boynes (Nov 27)
- RE: DOS Attack? David Gillett (Nov 29)
- <Possible follow-ups>
- RE: DOS Attack? David Gillett (Nov 29)
- RE: DOS Attack? Andrew Shore (Nov 29)