Security Incidents mailing list archives
Re: DoS attack... what to do?
From: "Bernie Cosell" <bernie () fantasyfarm com>
Date: Tue, 04 Jan 2005 18:04:03 -0500
On 4 Jan 2005 at 16:44, Mark C wrote:
1) Netsky's 5556 is TCP, so I'd fire up netcat or something and see if actual 3-way handshakes happen. If yes, then it's much less likely that it's someone out in the world spoof SYNflooding you. If no, then I'd treat this as a SYNflood and trace backwards through the ISP, you'll probably find it's coming from far fewer sources than you think.
How do you do this? If the packets coming in have forged source-IP addresses, how do you trace them backwards? /Bernie\ -- Bernie Cosell Fantasy Farm Fibers mailto:bernie () fantasyfarm com Pearisburg, VA --> Too many people, too few sheep <--
Current thread:
- DoS attack... what to do? Nigel Kukard (Jan 04)
- Re: DoS attack... what to do? falcon (Jan 04)
- Re: DoS attack... what to do? Faisal Khan (Jan 04)
- Re: DoS attack... what to do? Mark C (Jan 04)
- Re: DoS attack... what to do? Bernie Cosell (Jan 04)
- Re: DoS attack... what to do? Jose Nazario (Jan 05)
- Re: DoS attack... what to do? Bernie Cosell (Jan 04)
- <Possible follow-ups>
- RE: DoS attack... what to do? Shaffer, Bruce (Jan 04)
- Re: DoS attack... what to do? Steve Friedl (Jan 04)
- RE: DoS attack... what to do? Craig Skelton (Jan 05)
- Re: DoS attack... what to do? Alvin Oga (Jan 05)
- Re: DoS attack... what to do? Valdis . Kletnieks (Jan 07)
- Re: DoS attack... what to do? Paul Laudanski (Jan 05)
- Re: DoS attack... what to do? easternerd (Jan 13)
- Re: DoS attack... what to do? Steve Friedl (Jan 04)