Security Incidents mailing list archives

Re: DoS attack... what to do?

From: "Bernie Cosell" <bernie () fantasyfarm com>
Date: Tue, 04 Jan 2005 18:04:03 -0500

On 4 Jan 2005 at 16:44, Mark C wrote:

1) Netsky's 5556 is TCP, so I'd fire up netcat or something and see if 
actual 3-way handshakes happen.  If yes, then it's much less likely that 
it's someone out in the world spoof SYNflooding you.  If no, then I'd 
treat this as a SYNflood and trace backwards through the ISP, you'll 
probably find it's coming from far fewer sources than you think.


How do you do this?  If the packets coming in have forged source-IP 
addresses, how do you trace them backwards?

  /Bernie\

-- 
Bernie Cosell                     Fantasy Farm Fibers
mailto:bernie () fantasyfarm com     Pearisburg, VA
    -->  Too many people, too few sheep  <--

Current thread:

DoS attack... what to do? Nigel Kukard (Jan 04)
- Re: DoS attack... what to do? falcon (Jan 04)
- Re: DoS attack... what to do? Faisal Khan (Jan 04)
- Re: DoS attack... what to do? Mark C (Jan 04)
  - Re: DoS attack... what to do? Bernie Cosell (Jan 04)
    - Re: DoS attack... what to do? Jose Nazario (Jan 05)
- <Possible follow-ups>
- RE: DoS attack... what to do? Shaffer, Bruce (Jan 04)
  - Re: DoS attack... what to do? Steve Friedl (Jan 04)
    - RE: DoS attack... what to do? Craig Skelton (Jan 05)
    - Re: DoS attack... what to do? Alvin Oga (Jan 05)
    - Re: DoS attack... what to do? Valdis . Kletnieks (Jan 07)
    - Re: DoS attack... what to do? Paul Laudanski (Jan 05)
    - Re: DoS attack... what to do? easternerd (Jan 13)
- RE: DoS attack... what to do? Drumm, Daniel (Jan 05)
- Re: DoS attack... what to do? Fergie (Paul Ferguson) (Jan 13)