Security Incidents mailing list archives

Re: DOS by Flooding a Network

From: <jlewis () lewis org>
Date: Mon, 17 Jun 2002 17:43:52 -0400 (EDT)

A real provider should be willing to blackhole route the destination
address (assuming the attack is directed at a single IP) so that your
internet connection is not flooded.  If the attack is aimed at randomly
changing IPs on your network, that makes blocking it at the upstream much
more difficult, if possible at all.


On Mon, 17 Jun 2002, Richard Ginski wrote:

This past weekend, we experienced the periodic flooding of our network.
The flooding caused our network to be inaccessible. The traffic has
mainly been ICMP: large quantities of large spoofed packets...similar to
"ping-of-death. Appropriate patching has been applied so the actual
attach does not shut anything down. However, it does succeed in flooding
of our network rendering it inaccessible.

We are trying to figure out a way, if any, to mitigate this attack from
flooding our network in the future. We tried to coordinate with our ISP
upstream but they say they can't do anything....and we feel sending
resets on our end would be useless and ineffective. We are trying to
figure out a way to eliminate the "choke point" or "bottle neck" when
the attacks occur. I feel we should be able to do something better than
just "weathering the storm".


Any suggestions?

TIA

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


-- 
----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

DOS by Flooding a Network Richard Ginski (Jun 17)
- Re: DOS by Flooding a Network jlewis (Jun 17)
  - New script-kiddie looking scan Jeff Kell (Jun 18)
    - Re: New script-kiddie looking scan Luis Bruno (Jun 18)
    - Re: New script-kiddie looking scan zeno (Jun 18)
    - Re: New script-kiddie looking scan Chris Ess (Jun 18)
    - Re: New script-kiddie looking scan Alain Fauconnet (Jun 18)
    - Re: New script-kiddie looking scan Steffen Dettmer (Jun 19)
    - Re: New script-kiddie looking scan Russell Fulton (Jun 18)
- Re: DOS by Flooding a Network Skip Carter (Jun 17)
- Re: DOS by Flooding a Network W.G. Iyer (Jun 17)
  - Re: DOS by Flooding a Network Vitaly Osipov (Jun 18)

(Thread continues...)