From owner-freebsd-net Sat Jan 11 14:40:44 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBCC837B401 for ; Sat, 11 Jan 2003 14:40:43 -0800 (PST) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 99E6B43F6B for ; Sat, 11 Jan 2003 14:40:40 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-b038.otenet.gr [195.167.121.166]) by mailsrv.otenet.gr (8.12.6/8.12.6) with ESMTP id h0BMeQMZ016757; Sun, 12 Jan 2003 00:40:28 +0200 (EET) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.6/8.12.6) with ESMTP id h0BMePnB000959; Sun, 12 Jan 2003 00:40:25 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.6/8.12.6/Submit) id h0BMePvU000958; Sun, 12 Jan 2003 00:40:25 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Sun, 12 Jan 2003 00:40:25 +0200 From: Giorgos Keramidas To: Josh Brooks Cc: Jess Kitchen , freebsd-net@FreeBSD.ORG Subject: Re: What is my next step as a script kiddie ? (DDoS) Message-ID: <20030111224025.GA915@gothmog.gr> References: <20030110175022.B42178-100000@platinum.burstfire.net> <20030110133515.Q78856-100000@mail.econolodgetulsa.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030110133515.Q78856-100000@mail.econolodgetulsa.com> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2003-01-10 13:36, user@mail.econolodgetulsa.com (Josh Brooks) wrote: > Ok, understood - but the point is, at some point the attackers are > going to realize that their syn floods are no longer hurting me ... > and regardless of what they conclude from this, what is the standard > "next step" ? If they are just flooders/packeteers, what do they > graduate to when syn floods no longer do the job ? They'll probably try icmp floods, or floods that will forcee your server to generate a lot of RST responses. You can safely handle a lot of icmp traffic by ignoring those icmp packets that are not useful to you or mandatory according to one of the router requirements RFCs. The rate limiting features of RESTRICT_RST will handle the rest nicely, imho. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message