> Date: Tue, 26 Mar 2002 19:05:30 -0800 > From: CJ Johnson <[EMAIL PROTECTED]>
(snipping throughout) > We have enabled syncookies by default since the Qube-2 and > RaQ-2. There is a slight increase in overhead under extreme Thanks for clarifying. :-) > You can use tcpdump to verify the alleged source of the flood. > If you are being hit with a spoofed attack, you should see a > TCP RST reply to your system's SYN-ACK. (Because the spoofed > source didn't actually initiate the connection, it sends a > reset, rather than continuing with data). Good point. I neglected to so much as mention backscatter analysis. Note that, if the spoofed system is down, there will probably be no backscatter -- unless the impersonated, offline system is "behind" a [likely stateful] firewall that sends the RSTs. > Finally, I would try to back trace the packets. Your upstream > network ought to help if you can bypass the front line tech > support (knowing the $$'s figure should help here). From there > on, you get to enter service provider support hell. Also, if Some providers are clueless and will simply say "email our inept 'security' department". Others know what to do and will help. YMWVW. (Your mileage _will_ vary widely.) > you verify that the source address is spoofed, the spoofee may > be interested in helping to hunt down the spoofer. Afterall, > for every SYN you get and SYN-ACK you make, the spoofee gets an > unexpected SYN-ACK on his network, and has to send a RST. IIRC, www.caida.org has some nice papers on backscatter analysis. > If you are still under attack and hit a roadblock tracing the > packets, send another note. This is an area where friends of > friends of friends can prove useful, and the Cobalt developer > list is pretty well connected. One might also try NANOG. See www.nanog.org for more info. With all due respect to these lists, the clue quotient is far higher on NANOG. I consider myself to be rather clued on *ix and routing, but I'm just a teeny little speck on NANOG. (The flip side to this is to post wisely, else get shredded or ignored.) Looks like the origin ASN for www.obsidian-studios.com as AS3967. In my limited experience, Exodus pricing and service seem to vary with the sales rep. Beware the one who wants to charge you out the wazoo for simple things or things that are really part of standard service. Not sure how the C&W buyout affects things. I can guarantee you that EXDS has people watching NANOG. I'd be surprised if they didn't help out, assuming that you couldn't get anywhere with first-line support. Eddy Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence -- Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <[EMAIL PROTECTED]>, or you are likely to be blocked. _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
