Hello
I would be much better to fight the root cause and force every isp in
the world to block forged packets. For example with unified reverse path
checks facing the customers. Ok, I'm just kidding ...
Unfortunately there is no direct benefit for the implementing isp's
because it helps all others. But we can start in the "SWINOG" community
and make it better.
Maybe we can talk about this on our next meeting ? Because I think the
amount of dos attacks are increasing. After the last two presentations
about Netflow capturing I guess SWITCH has the space and the cluster to
calculate some numbers ;-)
What do you think about an open discussion on the next meeting.
Regards
Erich
Am Freitag, den 11.04.2008, 16:56 +0200 schrieb Schenkel Martin:
>
> Well, the only good solution to this ugly attack is to do what Goetz
> suggested; As an ISP inbound filter the offending IP address. This is what we
> did several hours ago and all is fine since then.
>
> Firewalls of all type of models have/had issues with this attack. On some you
> might be able to turn on a SYN flood attack feature which will then blacklist
> the IP locally on the firewall.
>
> Martin
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:swinog-
> > [EMAIL PROTECTED] On Behalf Of Olivier Mueller
> > Sent: Freitag, 11. April 2008 16:05
> > To: [EMAIL PROTECTED]
> > Subject: Re: [swinog] fw change on bluewin adsl accounts today?
> >
> > re,
> >
> > On Fri, 2008-04-11 at 15:16 +0200, Erich Hohermuth wrote:
> > > We also have a few customers complaining about connection troubles, most
> > > of them have a Zywal. After some netflow debugging we see many port 80
> > > syn connections which seems the cause of the troubles.
> >
> > Thanks for the feedback Erich! In the mean time, the Bluewin hot-line
> > called back (yes, I know, I couldn't believe it either :-)) but they had
> > no special information: they just confirmed nothing happened this night
> > about the setup.
> >
> > Asking on #swinog (irc) helped a bit more: it seems some other people
> > had the same problem, and as a solution the suggestion was: "if you do
> > NAT on Zyxel router please consider to close port 80 or block the IP
> > 212.224.127.14" (thx Claudio).
> >
> > I did that on the routers (by luck a good old isdn-based dial-in was
> > available everywhere), and now everything looks stable. To be
> > continued... ?
> >
> > regards,
> > Olivier
> >
> > _______________________________________________
> > swinog mailing list
> > [email protected]
> > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
>
> _______________________________________________
> swinog mailing list
> [email protected]
> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
--
* Erich Hohermuth IP Engineer - SolNet (AS 9044) PGPKEY-46A08FCB *
* phone: +41 32 517 6220 / sip:[EMAIL PROTECTED] *
_______________________________________________
swinog mailing list
[email protected]
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
