From owner-freebsd-net Sat Jan 11 16:37:56 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DBE037B401 for ; Sat, 11 Jan 2003 16:37:55 -0800 (PST) Received: from ints.mail.pike.ru (ints.mail.pike.ru [195.9.45.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1EECD43F1E for ; Sat, 11 Jan 2003 16:37:54 -0800 (PST) (envelope-from babolo@cicuta.babolo.ru) Received: (qmail 59377 invoked from network); 12 Jan 2003 00:51:18 -0000 Received: from babolo.ru (HELO cicuta.babolo.ru) (194.58.226.160) by ints.mail.pike.ru with SMTP; 12 Jan 2003 00:51:18 -0000 Received: (nullmailer pid 69035 invoked by uid 136); Sun, 12 Jan 2003 00:39:09 -0000 Subject: Re: What is my next step as a script kiddie ? (DDoS) X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <20030111221848.GG78231@overlord.e-gerbil.net> To: Richard A Steenbergen Date: Sun, 12 Jan 2003 03:39:09 +0300 (MSK) From: "."@babolo.ru Cc: Josh Brooks , freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <1042331949.784310.69034.nullmailer@cicuta.babolo.ru> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Thu, Jan 09, 2003 at 10:21:52AM -0800, Josh Brooks wrote: > > > > But, I am concerned ... I am concerned that the attacks will simply > > change/escalate to something else. > > > > If I were a script kiddie, and I suddenly saw that all of my garbage > > packets to nonexistent ports were suddenly being dropped, and say I nmap'd > > the thing and saw that those ports were closed - what would my next step > > be ? Prior to this the attacks were very simply a big SYN flood to random > > ports on the victim, and because of the RSTs etc., all this traffic to > > nonexistent ports flooded the firewall off. > > > > So what do they do next ? What is the next step ? The next level of > > sophistication to get around the measures I have put into place (that have > > been very successful - I have an attack ongoing as I write this, and it > > isn't hurting me at all) > > You're very right, thats exactly what they will do. Many frequent DoS > victims find it easier to leave open a hole so they can die easily, rather > than risk the attacks escalating and taking out other parts of the network > or services, other customers, etc. > > Obviously the next step would be for them to move to SYN flooding only the > ports of the service they are trying to kill, rather than random ports (if > they were smart or motivated by anything other than "I'll keep changing > numbers until they go down again" they would be doing that already). The > next step would be ACK floods so you can't even keep already established > flows up during the attack (though if its a quick connect/disconnect > service like http it wouldn't matter). The next step would be attacking > the routers near the victim... Etc etc etc. Don't panic. This is headache of his upstrim provider or his client under attack. His goal - as stated in question - to protect router - is solveable But you are right - global problem is not solveable that easy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message