Re: DoS Local machines

[sigipp () WELLA COM BR (sigipp () WELLA COM BR)]

Hi,

Well assume you may be able to automatically detect attacks. Then how do you
identify the attackers? With their IP-Addresses? may be spoofed. With the
MAC-Address? May be spoofed too (although not so easy). Well may be you could
additionally check the MAC table of your switch to verify at least that the
attacking machine with MAC address X is connected to the port of the switch
which it is supposed to. But if one attacks his neighbour´s computer, connected
to the same switch port? Is there a possibility to identify a host through any
MIB of an snmp-enabled hub? I don´t know. but this would be the only way to
definitely identify at least the conection. Then you might simply disable that
hub port (via snmp).

Just assume this: I really hate someone, and so i´m spoofing an attack from his
machine. I only have to wait a second for your script to react, and this fellow
will not only be disconnected and get his machine shut down (or something like
that), he will also have to proof that he´s innocent. And if he´s not a security
specialist, this might be very hard (may be a way to get rid of the CEO?). So
i´d recommend to be very carefully with this kind of action. The maximum action
i´d consider doing automatically would be shutting down the hub port.

Grertings
Siegfried Gipp