Date: Fri, 20 Jul 2001 03:19:41 +0200 From: Walter Hop <walter@binity.com> To: Robert Hough <rch@acidpit.org> Cc: freebsd-isp@freebsd.org Subject: Re[2]: What do you do about DoS attacks? Message-ID: <11067807702.20010720031941@binity.com> In-Reply-To: <20010719084853.A98826@acidpit.org> References: <17810514298.20010719112448@binity.com> <20010719084853.A98826@acidpit.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[in reply to rch@acidpit.org, 19-07-2001] Thank you for your good reply to my post :) I have been able to capture some of the malicious traffic: 01:25:10.885919 205.114.189.220.1028 > 213.239.135.226.80: S 4284658201:4284658201(0) win 16384 <mss 1460,nop,[bad opt]> (DF) 01:25:10.885929 24.248.173.190.1058 > 213.239.135.226.80: S 926436216:926436216(0) win 16384 <mss 1460,nop,[bad opt]> (DF) 01:25:10.885936 205.191.138.167.1111 > 213.239.135.226.80: S 1070972984:1070972984(0) win 16384 <mss 1460,nop,[bad opt]> (DF) The packets all have a bad TCP header option in common. A quick dump of normal traffic shows no sign of these packets and I can't think of a legitimate use for these packets. So, now I only have to convince my upstream provider that these packets need to be dropped -- I hope that Juniper routers have a means for this. The upstream can't be arsed to devote much time to this issue, so I'll have to give them clear instructions on how to do this... Ah well, that's a project for tomorrow. Thanks anyway. :) walter -- Walter Hop <walter@binity.com> | +31 6 24290808 | Finger for public key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11067807702.20010720031941>