I have been the target of DoS attacks in the past. My ISP said they could not filter some of these, but eventually they did (Incompetance i think).
If a particular IP address is being targetted, make your ISP drop all packets with that destination IP address. Sure, that particular site may appear offline, but at least your T1 is useable again. A small price to pay, i think. You could install another T1 line, but if you use BGP4 routing, it is possible the attack could saturate both lines, which would be totally pointless. Hope this helps. Dan. -- Dan Irwin - Systems Administrator Jackie's Wholesale Nurseries Pty Ltd Email: [EMAIL PROTECTED] Phone: 07 3888 2481 Fax: 07 3888 2530 Postal: 10 Gleeson Road Burpengary Queensland 4505 Email: [EMAIL PROTECTED] Web: http://www.jackies.com.au -----Original Message----- From: Clinton McLeay [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 12 February 2002 11:24 PM To: [EMAIL PROTECTED] Subject: Denial of service question. Hello, here's my question for all of you guys and gals.. We have a single T1 line to the Internet that we use to host web pages and such. Lately one of our computers has started getting a LOT of traffic (from random ip's and on different ports, with tcp and udp). The router we have is just a 2500 series Cisco which we DON'T have access to, however the upstream provider will put in rules for us. The denial of service sometimes goes on for a couple of days, and our upstream says that there is *NOTHING* they can do to help us block this, they suggest we set up a firewall, which we HAVE, but its on our side of the T1 router... So if 1.5M is flooding in basically we are out of luck. The question I have is: Is there any way to help this situation? How possible is it for us to put a firewall BEFORE the T1 line to block all of this before it hits our poor little line, or would this even help? I don't know if this would even be possible? Is there some sort of way we can have a fallback line incase this happens, and just move all of our ip addresses over to another t1 while this is happening to this one computer, so its only getting attacked and not EVERY server we have on that line? Any help would be great! -Clinton
