RE: DOS Attack?

["David Gillett" <gillettdavid () fhda edu>]

1.  If you have "established" in your ACL, it will allow in any TCP
packet that doesn't just have the SYN flag set.  I've seen nasty 
traffic send only RST packets to get the traffic past an ACL...

2.  DoS attacks often rely on resource starvation, and the easiest
resource to consume is bandwidth.  If I were to send you more traffic 
than your pipe could carry, packets would have to be lost -- even if 
you were dropping all of my traffic when it reached your ACL.  And 
if packets are being dropped at the upstream end of your pipe, there
can be good odds that legitimate connections originating from your 
network never receive their answers....

David Gillett


> -----Original Message-----
> From: Shawn Wall [mailto:sjwall () shaw ca]
> Sent: Wednesday, November 24, 2004 6:23 PM
> To: security-basics () securityfocus com
> Subject: DOS Attack?
>
>
> Hi List,
>
> I'm currently experiencing network outages due to what 
> appears to be DOS
> attacks. I'm running a wireless ISP using a Cisco 2611 and 
> CBAC and I have a
> /24 public address range. During the outage I can see traffic 
> from a single
> external host sending thousands of packets to a single 
> internal host. I
> don't have port 80 inbound open in my ACLs so I don't 
> understand how the
> external host is even able to contact the internal host to begin with.
> Secondly, how is it possible for an attack on 1 internal host 
> to cripple the
> rest of my network? Any feedback would be welcome. Thanks.
>
> shawn
>