Security Basics mailing list archives
RE: DOS Attack?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 29 Nov 2004 09:28:13 -0800
1. If you have "established" in your ACL, it will allow in any TCP packet that doesn't just have the SYN flag set. I've seen nasty traffic send only RST packets to get the traffic past an ACL... 2. DoS attacks often rely on resource starvation, and the easiest resource to consume is bandwidth. If I were to send you more traffic than your pipe could carry, packets would have to be lost -- even if you were dropping all of my traffic when it reached your ACL. And if packets are being dropped at the upstream end of your pipe, there can be good odds that legitimate connections originating from your network never receive their answers.... David Gillett
-----Original Message----- From: Shawn Wall [mailto:sjwall () shaw ca] Sent: Wednesday, November 24, 2004 6:23 PM To: security-basics () securityfocus com Subject: DOS Attack? Hi List, I'm currently experiencing network outages due to what appears to be DOS attacks. I'm running a wireless ISP using a Cisco 2611 and CBAC and I have a /24 public address range. During the outage I can see traffic from a single external host sending thousands of packets to a single internal host. I don't have port 80 inbound open in my ACLs so I don't understand how the external host is even able to contact the internal host to begin with. Secondly, how is it possible for an attack on 1 internal host to cripple the rest of my network? Any feedback would be welcome. Thanks. shawn
Current thread:
- DOS Attack? Shawn Wall (Nov 26)
- Re: DOS Attack? Suramya Tomar (Nov 26)
- Re: DOS Attack? Mario Pascucci (Nov 27)
- Re: DOS Attack? Juan Carlos Jimenez Jamett (Nov 27)
- Re: DOS Attack? Anthony Boynes (Nov 27)
- RE: DOS Attack? David Gillett (Nov 29)
- <Possible follow-ups>
- RE: DOS Attack? David Gillett (Nov 29)
- RE: DOS Attack? Andrew Shore (Nov 29)