[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] SYN attacks killing me! Please HELP!

Subject: RE: [cobalt-security] SYN attacks killing me! Please HELP!
From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
Date: Tue, 23 Jul 2002 15:21:06 +0000 (GMT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

GF> Date: Tue, 23 Jul 2002 16:02:50 +0100
GF> From: Graeme Fowler


GF> But rather less of a DoS than being swamped, across an entire
GF> /19, with SYN packets to port 80 at the rate of >5000 per
GF> second. Trust me; I've experienced this recently and it
GF> wasn't nice... when >50% of your outbound traffic is web
GF> pages, that sort of thing hits home hard.

True.  That'll melt a RaQ any day even if the SYNs are legit. ;-)


GF> > Yes, I've used rate-limiting when no better alternative was
GF> > available.  I'd consider it a last resort, along with per-IP
GF> > blocking.
GF> 
GF> Likewise, as a last resort. Sometimes, however sadly, that's
GF> the easiest way to proceed. Especially when it's late at
GF> night and you're at home!

Yes.


GF> > Or run a TCP stack that isn't as vulnerable to this sort of
GF> > thing.  *shrug*  People demand Linux, they get Linux.[1]
GF> 
GF> To be honest, when it gets to the realms of real[0] DoS/DDoS
GF> attacks, the IP stack you use makes no difference at all. If
GF> they're being orchestrated and run properly[1] then you could
GF> have the rhino-hide IP stack and it will still succumb.

GF> [0] Definitions differ here. For me, anything which affects
GF>     the normal operation of my network, or affects my clients
GF>     in a "significant" manner is a real attack
GF> [1] Again, properly can be interpreted in different ways.

Agreed.  With something this large, it's time to contact one's
provider(s) for some backtracing.

In the interim... if the attacked host is going to be down no
matter what... when an attack is bandwidth-hungry, it's handy to
be able to advertise a /32 with special "null-route this, please"
community to one's upstream(s).  If you're going to be offline,
you may as well save bandwidth.


GF> Yesterday some colleagues and I had a brief flight-of-fancy
GF> into the land of making keyboards melt with IP traffic, if
GF> only we could accurately trace down the little swine who do
GF> this sort of stuff... but that's just pure Wolkenkuckucksheim
GF> :)

"Wolkenkuckucksheim"... fetzig Wort. :-)


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.

References:
- RE: [cobalt-security] SYN attacks killing me! Please HELP!
  - From: Graeme Fowler

Prev by Date: RE: [cobalt-security] SYN attacks killing me! Please HELP!
Next by Date: Re: [cobalt-security] PHP - Panicking for nothing?
Previous by thread: RE: [cobalt-security] SYN attacks killing me! Please HELP!
Next by thread: [cobalt-security] SYN attacks killing me! Please HELP!

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index