Date: Tue, 28 Mar 2000 22:15:09 -0600 From: Troy Kittrell <troyk@basspro.com> To: "Daniel O'Callaghan" <danny@FreeBSD.ORG> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: DoS attacks Message-ID: <38E1834D.C42B409C@basspro.com> References: <Pine.BSF.4.10.10003291232030.24830-100000@enya.clari.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
I've searched high and low for technical reports myself, not only from the perspective of reacting to an attack of this nature but attempting to prevent the attack. Results be nada. www.securityfocus.com offers some interesting downloads of software that scans a system for software that is probably one of the malicious clients on a DoS attack, but I've yet to find a technical document that presents a solution that prevents the attack. I've also been going through an analysis of our own primary firewall solution (in hopes of finding a more robust product) and have found that vendors seem to answer this (DoS) problem with hardware that can handle more connections than can be "faked" through your bandwidth. It's just my opinion, but I don't think there is a pre-emptive answer for DoS attacks other than doing everything you can to make sure that (your) routers are configured to not to be influenced by outside sources. One serious problem I myself have realized is that AOL, with it's wondermous proxy project, can send so many users to our site at once that, from a single IP address, for all outward appearances could possibly be an attack. The DoS attack can't, AFAIK, be specifically identified and blocked. Hence the recent approach from vendors that I've noticed is to provide maximum over-kill on (firewalling/load-balancing) devices that can handle the trin00, tribal flood network, stacheldraht (?sp) or distributed smurf attack. The over-kill is in that it can handle so many "hung" socket connections that normal traffic can still get through. Will it work? Only time will tell... Daniel O'Callaghan wrote: > Does anyone know a URL for technical info on the recent DoS on Yahoo! etc. > The reports I've found all refer to "floods of packets", but don't say > whether they were TCP SYN or SYN/ACK or what. > > GlobalCenter, who look after the Yahoo! facilities managed to do something > to quell the attack, but it took them a few hours. Anyone know what they > did? I use GlobalCenter Melbourne, myself, so I'll ask the techs there if > they can find out, too. > > Can anyone share the steps they have taken to limit the effect of these > attacks on their own facilities. > > Thanks, > > Danny > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38E1834D.C42B409C>