From owner-freebsd-net Fri Jan 10 1:18:17 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98E7D37B401 for ; Fri, 10 Jan 2003 01:18:15 -0800 (PST) Received: from mail.econolodgetulsa.com (mail.econolodgetulsa.com [198.78.66.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F3AA43F18 for ; Fri, 10 Jan 2003 01:18:15 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Received: from mail (user@mail [198.78.66.163]) by mail.econolodgetulsa.com (8.12.3/8.12.3) with ESMTP id h0A9I7Zb068590; Fri, 10 Jan 2003 01:18:08 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Date: Fri, 10 Jan 2003 01:18:07 -0800 (PST) From: Josh Brooks To: "."@babolo.ru Cc: freebsd-net@freebsd.org Subject: Re: What is my next step as a script kiddie ? (DDoS) In-Reply-To: <1042154753.510477.852.nullmailer@cicuta.babolo.ru> Message-ID: <20030110011642.O78856-100000@mail.econolodgetulsa.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org My goal is to protect my FreeBSD firewall. As I mentioned, now that I have closed off everything to the victim except the ports he is actually running services on, everything is great! The firewall is just fine - even during a big syn flood, because it just drops all the packets that aren't going to legitimate ports. So my question is, what will they do next ? When they nmap the victim and they see all the ports are closed, what will they move to then ? On Fri, 10 Jan 2003 .@babolo.ru wrote: > > With the help of people in this group I have largely solved my problems - > > by simply placing in rules to drop all packets except the ones going to > > ports/services that are actually in use on the destination, I have found > > that even during a large attack (the kinds that used to cripple me) I have > > no problems at all - a lot of packets simply get dropped and that's that. > > > > But, I am concerned ... I am concerned that the attacks will simply > > change/escalate to something else. > > > > If I were a script kiddie, and I suddenly saw that all of my garbage > > packets to nonexistent ports were suddenly being dropped, and say I nmap'd > > the thing and saw that those ports were closed - what would my next step > > be ? Prior to this the attacks were very simply a big SYN flood to random > > ports on the victim, and because of the RSTs etc., all this traffic to > > nonexistent ports flooded the firewall off. > > > > So what do they do next ? What is the next step ? The next level of > > sophistication to get around the measures I have put into place (that have > > been very successful - I have an attack ongoing as I write this, and it > > isn't hurting me at all) > > > > ------- > > > > I am hoping that the answer is "same attack, but bigger - more bandwidth, > > in an attempt to saturate your pipe" because the victims ae low profile > > enough that it is unlikely enough people could pool enough resources to > > make this happen. But then again, maybe there is something sophisticated > > that a small attacker could do - and that is what I am trying to figure > > out and prevent before it happens. > What is your goal? > To protect your router or to protect your client? > This is a big difference. > And may be police is best way for both > in long term. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message