On Mon, 8 Apr 1996, David Schiffrin wrote:
> One of my customers (a small isp) suffered an attack recently. Aside from
> turning off services which these hosts provide to the net, or blocking those
> packets at the router, I am at a loss. I'd appreciate any suggestions.
>
> More specifically, the web, inbound SMTP ,and POP servers were each flooded
> by SYN packets from the 'net on the services respective ports, thus denying
> legitemate users access to these services. I filtered some, and changed
> DNS/IP addresses for others, but I'm not sure (without dynamic packet filter
> rules) how to address this long-term. These solutions only worked because
> the attacker began the attack (maybe checked it for effectiveness) and
> seemed to leave it running unnattended. Obviously the web and SMTP servers
> need to be accessable to the outside, but how do I make this better.
>
> BTW hosts from a variety of assigned and unassigned networks appeared to be
> the source addresses, and all hosts were/are unreachable from any
> net-access. Could/should the 'wall be doing a ping-check back at connecting
> hosts?.....
A client of mine also recently experienced one of these attacks. I'm not
sure how to block them either, except to do a "ping-check" as mentioned
above to at least weed out the nonexistent hosts (the attacks occurred
from addresses like 12.34.56.78 and 31.3.3.37...sigh).
Please respond via private email if possible.
TIA,
shag
Judd Bourgeois | When we are planning for posterity,
shagboy @
thecia .
net | we ought to remember that virtue is
Finger for PGP key | not hereditary. Thomas Paine
References:
-
flood attack
From: David Schiffrin <dschiffrin @
ucsd .
edu>
|
|
