Date: Thu, 22 Mar 2001 14:46:34 +0000 From: Marc Rogers <marcr@shady.org> To: freebsd-security@freebsd.org Subject: Re: DoS attack - advice needed Message-ID: <20010322144634.V10016@shady.org> In-Reply-To: <3ABA09E0.141711C9@ukrpost.net>; from ostap@ukrpost.net on Thu, Mar 22, 2001 at 04:19:12PM %2B0200 References: <3ABA09E0.141711C9@ukrpost.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hiya First thing you need to do is work out what they are throwing at you. You need to find out if the icmp was inward bound or outward. Outward bound (which to be honest is much more likely) is often a symptom of something that involves a large number of source addresses. A DDOS attack will generate a huge amount of outward bound icmp, as will something that involves spoofed source addresses. Blocking icmp in cases such as these will only cure the symptom, not the disease. In addition you score an own goal, as by blocking that kind of traffic withing your own network, the attackers still get to saturate your line(s) and you are less likely to see some of the "clues" that can help you identify the perpetrator. Take a snapshot of your network traffic (just tcpdump on some of the affected machines will do) and either mail it to me or send it to this list, and I and various others will look at it for you. Each diffrerent attack family will require a different countermeasure. By the comment you have made that this attack has caused FreeBSD machines to hang, I would suggest you are looking at something along the lines of a fragmented packet attack, (which if they were using an often changing spoofed source address, would explain the large amounts of icmp). Something I have noticed recently (and I will be making a separate post to this list on this matter) is that although our beloved OS has been hardened against attacks such as this, there are a number of well known software packages that are affected dramatically by these attacks, and more often than not it is their behaviour that causes up to date boxes to hang. Hope this helps, Marc Rogers Head of Network Operations & Security EDC Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010322144634.V10016>