From owner-freebsd-net Fri Jan 10 20:14:10 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E28D637B401 for ; Fri, 10 Jan 2003 20:14:08 -0800 (PST) Received: from ints.mail.pike.ru (ints.mail.pike.ru [195.9.45.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D7DE43F3F for ; Fri, 10 Jan 2003 20:14:07 -0800 (PST) (envelope-from babolo@cicuta.babolo.ru) Received: (qmail 65714 invoked from network); 11 Jan 2003 04:27:38 -0000 Received: from babolo.ru (HELO cicuta.babolo.ru) (194.58.226.160) by ints.mail.pike.ru with SMTP; 11 Jan 2003 04:27:38 -0000 Received: (nullmailer pid 9609 invoked by uid 136); Sat, 11 Jan 2003 04:15:19 -0000 Subject: Re: What is my next step as a script kiddie ? (DDoS) X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <20030110133515.Q78856-100000@mail.econolodgetulsa.com> To: Josh Brooks Date: Sat, 11 Jan 2003 07:15:19 +0300 (MSK) From: "."@babolo.ru Cc: Jess Kitchen , freebsd-net@freebsd.org X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <1042258519.765651.9608.nullmailer@cicuta.babolo.ru> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org IMHO it is almoust impossible to touch properly configured router without open services on it. I have a great experience of wars with above 3000 users of my nets over ethernet. Every my lose was for hardware error of switch or ethernet port or configuration error. Optimize ipfw for speed, do not use it for count - and only mistakes lead to crash. It seems your router is powerful enough for your circumstances Servers are another thing however... :-(( > Ok, understood - but the point is, at some point the attackers are going > to realize that their syn floods are no longer hurting me ... and > regardless of what they conclude from this, what is the standard "next > step" ? If they are just flooders/packeteers, what do they graduate to > when syn floods no longer do the job ? > > thanks! > > On Fri, 10 Jan 2003, Jess Kitchen wrote: > > > On Fri, 10 Jan 2003, Josh Brooks wrote: > > > > > My goal is to protect my FreeBSD firewall. As I mentioned, now that I > > > have closed off everything to the victim except the ports he is actually > > > running services on, everything is great! The firewall is just fine - > > > even during a big syn flood, because it just drops all the packets that > > > aren't going to legitimate ports. > > > > > > So my question is, what will they do next ? When they nmap the victim and > > > they see all the ports are closed, what will they move to then ? > > > > Josh, > > > > If your firewall is correctly dropping packets they won't see closed ports > > at all, unless you are sending tcp resets for everything (which would be > > silly heh) > > > > Have you had a look at man blackhole yet? That usually proves to be quite > > a pain when running generic-ish stuff along the lines of -sS -F or > > whatever. > > > > Cheers, > > J. > > > > -- > > Jess Kitchen > > http://www.burstfire.net/ > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message