Date: Wed, 29 Mar 2000 13:33:24 +1000 (EST) From: Enno Davids <nconedd@peppermint.national.com.au> To: danny@FreeBSD.ORG (Daniel O'Callaghan) Cc: freebsd-isp@FreeBSD.ORG Subject: Re: DoS attacks Message-ID: <200003290333.NAA29456@peppermint.national.com.au> In-Reply-To: <Pine.BSF.4.10.10003291232030.24830-100000@enya.clari.net.au> from Daniel O'Callaghan at "Mar 29, 0 12:41:22 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
|earlier Danny wrote: | | Does anyone know a URL for technical info on the recent DoS on Yahoo! etc. | The reports I've found all refer to "floods of packets", but don't say | whether they were TCP SYN or SYN/ACK or what. There are various analyses of these attacks around. The tools have split into three development streams (like all the best open source projects do!) under the names stacheldraht, trinoo and tfn. For some discussion and a comprehensive set of links have a look at: http://securityportal.com/direct.cgi?/research/ddosfaq.html http://securityportal.com/ddos/ | GlobalCenter, who look after the Yahoo! facilities managed to do something | to quell the attack, but it took them a few hours. Anyone know what they | did? I use GlobalCenter Melbourne, myself, so I'll ask the techs there if | they can find out, too. Generally the thing that distinguishes these attacks is that they don't need to moderate load on the attacking systems given that they use so many (usually compromised) systems to mount the attacks. Hence the attacks tend to eschew easily filtered things like large pings and SYN attacks in favour of things that look like real traffic. The challenge then is to identify DoS traffic and filter it as close to the source as possible. Because the attacks tend to originate at lots of systems distributed around the net, simple filtering will not work to stop them. | Can anyone share the steps they have taken to limit the effect of these | attacks on their own facilities. There's not a lot you _can_ do. Essentially it looks like real traffic, can pound on any legitimate service you expose and simply overwhelms your capacity to respond. In fact, it can in extremis even hit services you don't expose and simply use up all your bandwidth in packets which bounce off your packet filter/firewall. The real fix is for everyone to make sure their sites are secure. These attacks are all built on compromising other people's systems as platforms to launch the attack on third parties. The victim is attacked by systems which have themselves been hijacked to that purpose and hence the real fix is to prevent the hijacking to begin with. Enno. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003290333.NAA29456>