From owner-freebsd-net Thu Jan 9 10:21:54 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECD9237B401 for ; Thu, 9 Jan 2003 10:21:52 -0800 (PST) Received: from mail.econolodgetulsa.com (mail.econolodgetulsa.com [198.78.66.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C03E43ED8 for ; Thu, 9 Jan 2003 10:21:52 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Received: from mail (user@mail [198.78.66.163]) by mail.econolodgetulsa.com (8.12.3/8.12.3) with ESMTP id h09ILqZb082075 for ; Thu, 9 Jan 2003 10:21:52 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Date: Thu, 9 Jan 2003 10:21:52 -0800 (PST) From: Josh Brooks To: freebsd-net@freebsd.org Subject: What is my next step as a script kiddie ? (DDoS) Message-ID: <20030109101652.E78856-100000@mail.econolodgetulsa.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, With the help of people in this group I have largely solved my problems - by simply placing in rules to drop all packets except the ones going to ports/services that are actually in use on the destination, I have found that even during a large attack (the kinds that used to cripple me) I have no problems at all - a lot of packets simply get dropped and that's that. But, I am concerned ... I am concerned that the attacks will simply change/escalate to something else. If I were a script kiddie, and I suddenly saw that all of my garbage packets to nonexistent ports were suddenly being dropped, and say I nmap'd the thing and saw that those ports were closed - what would my next step be ? Prior to this the attacks were very simply a big SYN flood to random ports on the victim, and because of the RSTs etc., all this traffic to nonexistent ports flooded the firewall off. So what do they do next ? What is the next step ? The next level of sophistication to get around the measures I have put into place (that have been very successful - I have an attack ongoing as I write this, and it isn't hurting me at all) ------- I am hoping that the answer is "same attack, but bigger - more bandwidth, in an attempt to saturate your pipe" because the victims ae low profile enough that it is unlikely enough people could pool enough resources to make this happen. But then again, maybe there is something sophisticated that a small attacker could do - and that is what I am trying to figure out and prevent before it happens. thanks! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message