From owner-freebsd-net Fri Jan 10 13:36:49 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FDB237B401 for ; Fri, 10 Jan 2003 13:36:47 -0800 (PST) Received: from mail.econolodgetulsa.com (mail.econolodgetulsa.com [198.78.66.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C57B43F13 for ; Fri, 10 Jan 2003 13:36:47 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Received: from mail (user@mail [198.78.66.163]) by mail.econolodgetulsa.com (8.12.3/8.12.3) with ESMTP id h0ALadZb049762; Fri, 10 Jan 2003 13:36:39 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Date: Fri, 10 Jan 2003 13:36:39 -0800 (PST) From: Josh Brooks To: Jess Kitchen Cc: freebsd-net@freebsd.org Subject: Re: What is my next step as a script kiddie ? (DDoS) In-Reply-To: <20030110175022.B42178-100000@platinum.burstfire.net> Message-ID: <20030110133515.Q78856-100000@mail.econolodgetulsa.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok, understood - but the point is, at some point the attackers are going to realize that their syn floods are no longer hurting me ... and regardless of what they conclude from this, what is the standard "next step" ? If they are just flooders/packeteers, what do they graduate to when syn floods no longer do the job ? thanks! On Fri, 10 Jan 2003, Jess Kitchen wrote: > On Fri, 10 Jan 2003, Josh Brooks wrote: > > > My goal is to protect my FreeBSD firewall. As I mentioned, now that I > > have closed off everything to the victim except the ports he is actually > > running services on, everything is great! The firewall is just fine - > > even during a big syn flood, because it just drops all the packets that > > aren't going to legitimate ports. > > > > So my question is, what will they do next ? When they nmap the victim and > > they see all the ports are closed, what will they move to then ? > > Josh, > > If your firewall is correctly dropping packets they won't see closed ports > at all, unless you are sending tcp resets for everything (which would be > silly heh) > > Have you had a look at man blackhole yet? That usually proves to be quite > a pain when running generic-ish stuff along the lines of -sS -F or > whatever. > > Cheers, > J. > > -- > Jess Kitchen > http://www.burstfire.net/ > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message