Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DDoS Attacks....

From: "J. Oquendo" <intrusion () ENGINEER COM>
Date: Tue, 14 Nov 2000 01:50:16 -0500
Heres a quickie doc for admins/etc under the gun which I thought might come in handy. Its not a read-me or faq just a 
slew of commands and configs for all types of routers/firewalls to either slow down or stop Denial of Service attacks.

www.antioffline.com/stoppingdos.html

------Original Message------
From: James Kelty <james () TUNA ORG>
To: INCIDENTS () SECURITYFOCUS COM
Sent: November 13, 2000 11:12:40 PM GMT
Subject: DDoS Attacks....


Hello,

I seem to be under a DDoS Attack at the moment.  I recieved these logs
from my firewall

<SNIP>

 488. 2000-11-13 14:49:24 ATTACK ALARM:  ICMP Flood from 207.100.65.30
to 209.10.46.156 prot 1 (untrust)
 489. 2000-11-13 14:49:24 ATTACK ALARM:  ICMP Flood from 206.222.103.134
to 209.10.46.156 prot 1 (untrust)
 490. 2000-11-13 14:49:23 ATTACK ALARM:  ICMP Flood from 149.39.250.1 to
209.10.46.156 prot 1 (untrust)
 491. 2000-11-13 14:49:23 ATTACK ALARM:  ICMP Flood from 134.174.9.41 to
209.10.46.156 prot 1 (untrust)
 492. 2000-11-13 14:49:23 ATTACK ALARM:  ICMP Flood from 198.59.162.254
to 209.10.46.156 prot 1 (untrust)
 493. 2000-11-13 14:49:23 ATTACK ALARM:  ICMP Flood from 209.11.133.190
to 209.10.46.156 prot 1 (untrust)
 494. 2000-11-13 14:49:23 ATTACK ALARM:  ICMP Flood from 4.24.80.18 to
209.10.46.156 prot 1 (untrust)
 495. 2000-11-13 14:49:22 ATTACK ALARM:  ICMP Flood from 204.89.131.10
to 209.10.46.156 prot 1 (untrust)
 496. 2000-11-13 14:49:22 ATTACK ALARM:  ICMP Flood from 209.11.133.189
to 209.10.46.156 prot 1 (untrust)
<SNIP>


It seems that there are several IP that these are coming from, all at
once, (Hence the DDoS).  The thing is that, the firewall that they are
hitting
is just a NAT firewall for outbound traffic via SMTP, and NO incoming
traffic should go that way.  It is not really hurting me at the moment,
but when
someone figures out what they are doing, this could be bad.

Any advice? Other that making sure that all my firewalls do not allow
ICMP traffc, (Done!).


Thanks!

-James

______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup
Previous By Date Next
Previous By Thread Next

Current thread: