From owner-freebsd-questions  Fri Jan 16 01:38:41 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA00572
          for questions-outgoing; Fri, 16 Jan 1998 01:38:41 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from caladan.tdx.co.uk (caladan.tdx.co.uk [195.188.177.4])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA00560
          for <questions@freebsd.org>; Fri, 16 Jan 1998 01:38:36 -0800 (PST)
          (envelope-from kpielorz@tdx.co.uk)
Received: from tdx.co.uk (lorca-tx.tdx.co.uk [195.188.177.242])
	by caladan.tdx.co.uk (8.8.5/8.8.5) with ESMTP id IAA29466;
	Fri, 16 Jan 1998 08:58:12 GMT
Message-ID: <34BF2124.A357660F@tdx.co.uk>
Date: Fri, 16 Jan 1998 08:58:12 +0000
From: Karl Pielorz <kpielorz@tdx.co.uk>
Organization: TDX
X-Mailer: Mozilla 4.04 [en] (WinNT; I)
MIME-Version: 1.0
To: Stephen Comoletti <rugose@delanet.com>
CC: questions@FreeBSD.ORG
Subject: Re: DoS
References: <199801160336.WAA18362@www.delanet.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk

Hi Stephen,

Where is the attack coming from?

The Cisco can be configured to be pretty secure - this includes dropping any
packets that have been obviously 'faked' as being from themselves etc. (and
dropping packets with source routing tricks etc.)

How much do you know about the Cisco's? and the IOS they run? - if you need /
want further help email me...


Regards,

Karl

Stephen Comoletti wrote:
> 
> I have a situation I need a little advice on. I'm not sure if it belongs
> here, however it does affect users of FreeBSD as well from what little I do
> know.
> 
> Ok..here is the setup. ISP with 2 cisco routers, both communicate between
> eachother on a regular basis. They use radius for authentication. The isp
> is under attack by a modified smurf. It has all the symptoms of a smurf but
> it's comming in via udp and not icmp. to complicate it, the attacker is
> spoofing the ip of each router and hitting them at the same time, changing
> the port each time the isp kills input from one.
> 
> Is there any way to defend/track down/stop an attack of this type?
> 
> Steve