Re: Recent Attacks

[blyonpop () theshell com]

On Fri, 18 Feb 2000, Randy B. Samos wrote:
> > From: "Barrett G. Lyon" <blyon () theshell com>
> *snip*
> >    Is my network disrupted by this attack, and if so should I remove
> >    whatever it is that the attacker wants offline?  If by removing the
> >    target will the attacker stop and if so will this keep my other
> >    services online?   [ I have found by removing the target the attacker
> >    stops nearly immediately. ]
> *snip*
>
> Hmmm. If the object of the attack was a DOS, wouldn't you be helping the
> attacker reach his/her goals by taking the machine down yourself?

Yes this is the general idea.  If the DoS attack is saturating the
bandwidth that many other services depend on, perhaps it is a good idea to
have the service that is under attack offline in-order to save the
rest?  A good example would be that if someone is attacking customer's web
site, it may be feasible to take that web site temporally offline in the
hopes that the attacker will stop the attack.  I would consider this a
better alternative than having all customers offline.  Granted this is not
something you do in all cases but it can help in some events.

In non-spoofed attacks it is also handy because if the target system
is not reachable then some sort of ICMP unreachable will be sent back to
the attacking host possibly ending the attack.

-Barrett



Barrett G. Lyon
(NJS) Network Janitor Specialist 
Have fun: www.AlphaLinux.org

[Q]: Hey, do they test this stuff before it's released?  
[A]: Sure they do... "It compiles, it's ready!"