Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: DOS Attack?

From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 29 Nov 2004 10:48:11 -0800
  It's awkward.  For efficiency, you'd like "established" to be
as close to the top of the list as possible.  To block this kind
of traffic, you need to block it ahead of the "established".
  The only/correct solution is to use a "real" stateful firewall,
instead of just a packet filter.

David Gillett



-----Original Message-----
From: Shawn Wall [mailto:sjwall () shaw ca]
Sent: Monday, November 29, 2004 10:05 AM
To: gillettdavid () fhda edu
Subject: RE: DOS Attack?


Hi David. Thanks for your reply. I wanted to follow up with 
on point number
1. In fact, this is exactly the type of traffic I see during 
the outage. Do
you know of a way to defeat this? Thanks.

shawn 

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu] 
Sent: Monday, November 29, 2004 10:28 AM
To: 'Shawn Wall'; security-basics () securityfocus com
Subject: RE: DOS Attack?

1.  If you have "established" in your ACL, it will allow in 
any TCP packet
that doesn't just have the SYN flag set.  I've seen nasty 
traffic send only
RST packets to get the traffic past an ACL...

2.  DoS attacks often rely on resource starvation, and the 
easiest resource
to consume is bandwidth.  If I were to send you more traffic 
than your pipe
could carry, packets would have to be lost -- even if you 
were dropping all
of my traffic when it reached your ACL.  And if packets are 
being dropped at
the upstream end of your pipe, there can be good odds that legitimate
connections originating from your network never receive their 
answers....

David Gillett



-----Original Message-----
From: Shawn Wall [mailto:sjwall () shaw ca]
Sent: Wednesday, November 24, 2004 6:23 PM
To: security-basics () securityfocus com
Subject: DOS Attack?


Hi List,

I'm currently experiencing network outages due to what 

appears to be 

DOS attacks. I'm running a wireless ISP using a Cisco 2611 and CBAC 
and I have a
/24 public address range. During the outage I can see 

traffic from a 

single external host sending thousands of packets to a 

single internal 

host. I don't have port 80 inbound open in my ACLs so I don't 
understand how the external host is even able to contact 

the internal 

host to begin with.
Secondly, how is it possible for an attack on 1 internal host to 
cripple the rest of my network? Any feedback would be 

welcome. Thanks.


shawn
Previous By Date Next
Previous By Thread Next

Current thread: