From owner-freebsd-net Sat Jan 11 14:18:50 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7753537B401 for ; Sat, 11 Jan 2003 14:18:49 -0800 (PST) Received: from overlord.e-gerbil.net (e-gerbil.net [64.186.142.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCE5443F6B for ; Sat, 11 Jan 2003 14:18:48 -0800 (PST) (envelope-from ras@overlord.e-gerbil.net) Received: from overlord.e-gerbil.net (ras@localhost.globali.net [127.0.0.1]) by overlord.e-gerbil.net (8.12.6/8.12.6) with ESMTP id h0BMImTg037797; Sat, 11 Jan 2003 17:18:48 -0500 (EST) (envelope-from ras@overlord.e-gerbil.net) Received: (from ras@localhost) by overlord.e-gerbil.net (8.12.6/8.12.6/Submit) id h0BMImHN037796; Sat, 11 Jan 2003 17:18:48 -0500 (EST) (envelope-from ras) Date: Sat, 11 Jan 2003 17:18:48 -0500 From: Richard A Steenbergen To: Josh Brooks Cc: freebsd-net@FreeBSD.ORG Subject: Re: What is my next step as a script kiddie ? (DDoS) Message-ID: <20030111221848.GG78231@overlord.e-gerbil.net> References: <20030109101652.E78856-100000@mail.econolodgetulsa.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030109101652.E78856-100000@mail.econolodgetulsa.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jan 09, 2003 at 10:21:52AM -0800, Josh Brooks wrote: > > But, I am concerned ... I am concerned that the attacks will simply > change/escalate to something else. > > If I were a script kiddie, and I suddenly saw that all of my garbage > packets to nonexistent ports were suddenly being dropped, and say I nmap'd > the thing and saw that those ports were closed - what would my next step > be ? Prior to this the attacks were very simply a big SYN flood to random > ports on the victim, and because of the RSTs etc., all this traffic to > nonexistent ports flooded the firewall off. > > So what do they do next ? What is the next step ? The next level of > sophistication to get around the measures I have put into place (that have > been very successful - I have an attack ongoing as I write this, and it > isn't hurting me at all) You're very right, thats exactly what they will do. Many frequent DoS victims find it easier to leave open a hole so they can die easily, rather than risk the attacks escalating and taking out other parts of the network or services, other customers, etc. Obviously the next step would be for them to move to SYN flooding only the ports of the service they are trying to kill, rather than random ports (if they were smart or motivated by anything other than "I'll keep changing numbers until they go down again" they would be doing that already). The next step would be ACK floods so you can't even keep already established flows up during the attack (though if its a quick connect/disconnect service like http it wouldn't matter). The next step would be attacking the routers near the victim... Etc etc etc. But I think you're now going outside the scope and expertise of this mailing list. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message