Re: Automatic Retaliation contra DoS

[mikael.olsson () ENTERNET SE (Mikael Olsson)]

sigipp () WELLA COM BR wrote:
> Hi,
>
> My idea was not a retaliation of type attacking your machine. Not even closing
>       the door. Simply throttling down (simulating line congestion for the
>       attacker). There would be nothing significantly in your firewall logs, or
>       even nothing. It would be simply that an increasing percentage of your
>       (the attackers) packets will get lost. Nothing more. The maximum you would
>       find in your firewall logs is an icmp message of type "host unreachable"
>       of some intermediate router.

I know I'm late into this thread (haven't been keeping up with my list
subscriptions again. agh) but I feel I have to say this much:

Cutting off someone as a result of a probe, or even decreasing their
throughput, may lead to serious problems. What if I launch a spoofed
attack against you and claim to be a bunch of the top level DNS
servers? (Owie!)

Granted, only doing this if you confirm a full TCP connect reduces
the risks of DoSign yourself. IF your server OS has good sequence
number randomization, of if your firewall provides it for you.

A point of interest: Watchguard blocks "attackers" by default,
and if you disable this "protection", you open yourself up
to DoS since its proxies are WAY over-sensitive without the block.

/Mike

--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-29 92 00         Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se