Security Incidents: Re: DoS attack... what to do?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: DoS attack... what to do?

From: "Bernie Cosell" <bernie () fantasyfarm com>
Date: Tue, 04 Jan 2005 18:04:03 -0500

On 4 Jan 2005 at 16:44, Mark C wrote:

1) Netsky's 5556 is TCP, so I'd fire up netcat or something and see if 
actual 3-way handshakes happen.  If yes, then it's much less likely that 
it's someone out in the world spoof SYNflooding you.  If no, then I'd 
treat this as a SYNflood and trace backwards through the ISP, you'll 
probably find it's coming from far fewer sources than you think.


How do you do this?  If the packets coming in have forged source-IP 
addresses, how do you trace them backwards?

  /Bernie\

-- 
Bernie Cosell                     Fantasy Farm Fibers
mailto:bernie () fantasyfarm com     Pearisburg, VA
    -->  Too many people, too few sheep  <--

By Date By Thread

Current thread:

DoS attack... what to do? Nigel Kukard (Jan 04)
- Re: DoS attack... what to do? falcon (Jan 04)
- Re: DoS attack... what to do? Faisal Khan (Jan 04)
- Re: DoS attack... what to do? Mark C (Jan 04)
  - Re: DoS attack... what to do? Bernie Cosell (Jan 04)
    - Re: DoS attack... what to do? Jose Nazario (Jan 05)
- <Possible follow-ups>
- RE: DoS attack... what to do? Shaffer, Bruce (Jan 04)
  - Re: DoS attack... what to do? Steve Friedl (Jan 04)
    - RE: DoS attack... what to do? Craig Skelton (Jan 05)
    - Re: DoS attack... what to do? Alvin Oga (Jan 05)