GF> Date: Tue, 23 Jul 2002 16:02:50 +0100 GF> From: Graeme Fowler
GF> But rather less of a DoS than being swamped, across an entire GF> /19, with SYN packets to port 80 at the rate of >5000 per GF> second. Trust me; I've experienced this recently and it GF> wasn't nice... when >50% of your outbound traffic is web GF> pages, that sort of thing hits home hard. True. That'll melt a RaQ any day even if the SYNs are legit. ;-) GF> > Yes, I've used rate-limiting when no better alternative was GF> > available. I'd consider it a last resort, along with per-IP GF> > blocking. GF> GF> Likewise, as a last resort. Sometimes, however sadly, that's GF> the easiest way to proceed. Especially when it's late at GF> night and you're at home! Yes. GF> > Or run a TCP stack that isn't as vulnerable to this sort of GF> > thing. *shrug* People demand Linux, they get Linux.[1] GF> GF> To be honest, when it gets to the realms of real[0] DoS/DDoS GF> attacks, the IP stack you use makes no difference at all. If GF> they're being orchestrated and run properly[1] then you could GF> have the rhino-hide IP stack and it will still succumb. GF> [0] Definitions differ here. For me, anything which affects GF> the normal operation of my network, or affects my clients GF> in a "significant" manner is a real attack GF> [1] Again, properly can be interpreted in different ways. Agreed. With something this large, it's time to contact one's provider(s) for some backtracing. In the interim... if the attacked host is going to be down no matter what... when an attack is bandwidth-hungry, it's handy to be able to advertise a /32 with special "null-route this, please" community to one's upstream(s). If you're going to be offline, you may as well save bandwidth. GF> Yesterday some colleagues and I had a brief flight-of-fancy GF> into the land of making keyboards melt with IP traffic, if GF> only we could accurately trace down the little swine who do GF> this sort of stuff... but that's just pure Wolkenkuckucksheim GF> :) "Wolkenkuckucksheim"... fetzig Wort. :-) Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <[EMAIL PROTECTED]>, or you are likely to be blocked. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
