From owner-freebsd-net Thu Jan 9 15:31:35 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4145437B401 for ; Thu, 9 Jan 2003 15:31:34 -0800 (PST) Received: from ints.mail.pike.ru (ints.mail.pike.ru [195.9.45.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0F3043F18 for ; Thu, 9 Jan 2003 15:31:32 -0800 (PST) (envelope-from babolo@cicuta.babolo.ru) Received: (qmail 7882 invoked from network); 9 Jan 2003 23:38:09 -0000 Received: from babolo.ru (HELO cicuta.babolo.ru) (194.58.226.160) by ints.mail.pike.ru with SMTP; 9 Jan 2003 23:38:09 -0000 Received: (nullmailer pid 853 invoked by uid 136); Thu, 09 Jan 2003 23:25:53 -0000 Subject: Re: What is my next step as a script kiddie ? (DDoS) X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <20030109101652.E78856-100000@mail.econolodgetulsa.com> To: Josh Brooks Date: Fri, 10 Jan 2003 02:25:53 +0300 (MSK) From: "."@babolo.ru Cc: freebsd-net@freebsd.org X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <1042154753.510477.852.nullmailer@cicuta.babolo.ru> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > With the help of people in this group I have largely solved my problems - > by simply placing in rules to drop all packets except the ones going to > ports/services that are actually in use on the destination, I have found > that even during a large attack (the kinds that used to cripple me) I have > no problems at all - a lot of packets simply get dropped and that's that. > > But, I am concerned ... I am concerned that the attacks will simply > change/escalate to something else. > > If I were a script kiddie, and I suddenly saw that all of my garbage > packets to nonexistent ports were suddenly being dropped, and say I nmap'd > the thing and saw that those ports were closed - what would my next step > be ? Prior to this the attacks were very simply a big SYN flood to random > ports on the victim, and because of the RSTs etc., all this traffic to > nonexistent ports flooded the firewall off. > > So what do they do next ? What is the next step ? The next level of > sophistication to get around the measures I have put into place (that have > been very successful - I have an attack ongoing as I write this, and it > isn't hurting me at all) > > ------- > > I am hoping that the answer is "same attack, but bigger - more bandwidth, > in an attempt to saturate your pipe" because the victims ae low profile > enough that it is unlikely enough people could pool enough resources to > make this happen. But then again, maybe there is something sophisticated > that a small attacker could do - and that is what I am trying to figure > out and prevent before it happens. What is your goal? To protect your router or to protect your client? This is a big difference. And may be police is best way for both in long term. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message