Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: DOS Attack?

from [David Gillett] Network Security [Permanent Link]
Subject: RE: DOS Attack?
Date: Mon, 29 Nov 2004 10:48:11 -0800 
  It's awkward.  For efficiency, you'd like "established" to be
as close to the top of the list as possible.  To block this kind
of traffic, you need to block it ahead of the "established".
  The only/correct solution is to use a "real" stateful firewall,
instead of just a packet filter.

David Gillett



-----Original Message-----
From: Shawn Wall [mailto:sjwall@shaw.ca]
Sent: Monday, November 29, 2004 10:05 AM
To: gillettdavid@fhda.edu
Subject: RE: DOS Attack?


Hi David. Thanks for your reply. I wanted to follow up with 
on point number
1. In fact, this is exactly the type of traffic I see during 
the outage. Do
you know of a way to defeat this? Thanks.

shawn 

-----Original Message-----
From: David Gillett [mailto:gillettdavid@fhda.edu] 
Sent: Monday, November 29, 2004 10:28 AM
To: 'Shawn Wall'; security-basics@securityfocus.com
Subject: RE: DOS Attack?

1.  If you have "established" in your ACL, it will allow in 
any TCP packet
that doesn't just have the SYN flag set.  I've seen nasty 
traffic send only
RST packets to get the traffic past an ACL...

2.  DoS attacks often rely on resource starvation, and the 
easiest resource
to consume is bandwidth.  If I were to send you more traffic 
than your pipe
could carry, packets would have to be lost -- even if you 
were dropping all
of my traffic when it reached your ACL.  And if packets are 
being dropped at
the upstream end of your pipe, there can be good odds that legitimate
connections originating from your network never receive their 
answers....

David Gillett



-----Original Message-----
From: Shawn Wall [mailto:sjwall@shaw.ca]
Sent: Wednesday, November 24, 2004 6:23 PM
To: security-basics@securityfocus.com
Subject: DOS Attack?


Hi List,

I'm currently experiencing network outages due to what 

appears to be 

DOS attacks. I'm running a wireless ISP using a Cisco 2611 and CBAC 
and I have a
/24 public address range. During the outage I can see 

traffic from a 

single external host sending thousands of packets to a 

single internal 

host. I don't have port 80 inbound open in my ACLs so I don't 
understand how the external host is even able to contact 

the internal 

host to begin with.
Secondly, how is it possible for an attack on 1 internal host to 
cripple the rest of my network? Any feedback would be 

welcome. Thanks.


shawn
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: how do i read this IDS log?, Javier Sanchez
Next by Date:  RE: Windows Messenger Pop-up spam, Chris Merkel
Previous by Thread:  Re: DOS Attack?, Anthony Boynes
Next by Thread:  RE: DOS Attack?, Andrew Shore
Indexes:  [Date] [Thread] [Top] [All Lists]