In some mail from William S. Duncanson, sie said:
>
> At the time that I was made aware of the attack by the server's
> administrator, and started monitoring the traffic on the router, we were
> getting about 20 syn's per second from such improbable addresses as
> 0.122.205.10 and 255.96.127.33. These are just from the 20-25 seconds that
> I actually tee'd the tcpdump, and occured within less than a second of each
> other. Noticing those two was how I confirmed the administrator's suspicion
> that there was source address spoofing going on.
Hmmm, if the addresses are truely random, a number can be dropped without
any trouble:
deny proto tcp src 224.0.0.0/3 dst any
(or whatever the equivalent for your access list is)
Multicast TCP doesn't exist, and anything above that isn't assigned.
I don't know how many class A networks are still in use (35, 18...) but
depending on the number, it maybe viable to setup a rule like
deny proto tcp src 0.0.0.0/1 dst any
and create other access lists for the smaller networks to get in, if that
is part of your default access list.
Darren
References:
|
|
