Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nkiller2

From: Michael Graham <jmgraham () gmail com>
Date: Thu, 11 Jun 2009 14:05:03 -0400
OK after a few minutes with this I'm not sure you can efficiently do much
about it outside of a complex IPS watching for and killing connections that
send too many "windows size 0" in response to probes from your server, and
then hopefully blocking the IP entirely.

On Thu, Jun 11, 2009 at 12:43 PM, Michael Graham <jmgraham () gmail com> wrote:


filter on Windows size = 0 and total connections to a host from a host
thought whatever you're using for a statefull firewall


On Thu, Jun 11, 2009 at 11:39 AM, dave <dave () immunityinc com> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.phrack.org/issues.html?issue=66&id=9#article

Is it just me or can pretty much every web site in the world get turned
off now?

I guess you could use iptables to drop the Window Size 0 packets?

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkoxJSgACgkQtehAhL0ghepRSACfUL94jijBDRck2MlOggEKja3e
fbIAn0l6fMpWNlOy9ttVmRYubGDoUqfa
=mGZB
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave





_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: