[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: F9 DOS attack



Dave Feustel wrote:
On Wed, Nov 26, 2008 at 05:30:09AM -0800, bruce wrote:
hi dave...

just saw this thread. are you running a static ip on your external internet
connection. if you aren't, you could simply force the cable modem to reset
to another ip address..

I tried reseting the cable modem but I'm not sure it changes my ip
address.
you might have to work with comcast tech support to accomplish this. (get a
2nd/3rd level guy who actually knows/wants to help you out)

I'm going to try to talk with them about this tomorrow.
if you've already done this, has it managed to slow the offender down?

No. But the attack had ceased when I got up this morning.
do you have a router connected to the cable modem? does it log the ip
addresses of the offending client?

I use pf with a block all incoming rule. I don't see any traffic with
pftop, but I saw a lot of incoming packets by observing the leds on my
cable modem. It's pretty clear to me that both F9 and Suse11 are
vulnerable to attack from the internet. I'm starting to get very
interested in linux security and preventing dos attacks.

ANYTHING connected to the internet is vulnerable to attack, be it SYN
floods, brute force SSH attempts, any number of others.  Wait till you
get a DC++ attack!  The only way to block that sucker is to do a deep
packet inspection of the payload and drop the connections or find the
hub that has you listed and kill it somehow.

It's totally irrelevant what OS you run, it's an attack against the
interface.  Different OSes handle it differently.  It's best to have a
hardware firewall out front, but then internal software firewalls like
iptables are your second level of defense.  Next is making sure only
the network "listeners" you NEED are enabled.  I manage a network
that seems to have a big, red target painted on it.  I deal with this
all the time.  Thank goodness for our Cisco, Foundry and Radware gear
out front!  They block most of it, the rest we deal with via iptables
and we monitor EVERYTHING (my cell phone has almost melted on occasion
from the SMS text alerts when a DOS is attempted).

As to your problem, Comcast's first level techs (and I'm being generous
using that term) are notoriously crappy as far as solving problems.
They're not much more than telemarketers and work off a script. Ask them
something off script and they're at sea.  Can't say Time Warner is much
better.  One problem I had with them:

Me: "I'm not getting a DHCP address from you, your DHCP servers are down."
Them: "Which OS?"
Me: "Linux."
Them: "Oh, we don't support Linux."
Me: "DHCP is DHCP you twit.  The OS has nothing to do with it!  Let me
talk to a level 3 tech."
(this went on for about five minutes, I threatened dire vengeance,
then I got a level 3 guy [skipped level 2, they're idiots, too])
Level3Guy: "What's the problem?"
Me: "You're not giving out DHCP addresses.  Your servers are down."
L3G: "I don't think so."
Me: "Dude, I'm watching a tcpdump of it.  I'm sending requests and
you're not answering.  No denials, no responses, nada."
L3G: "Let me check."
(long pause)
L3G: "Yeah, six of them crashed."
Me: "You don't monitor that sort of thing?"
L3G: "Uh, guess not."
Me: "ARRRRRRGGGGGHHHHHHH!"

----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks nerd com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-               If the enemy's in range...so are you!                -
----------------------------------------------------------------------


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]