[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: F9 DOS attack



hey rick...

are you the same rick, who used to work with a company in san mateo.. that
used to deal with akamai...



-----Original Message-----
From: fedora-list-bounces redhat com
[mailto:fedora-list-bounces redhat com]On Behalf Of Rick Stevens
Sent: Wednesday, November 26, 2008 10:18 AM
To: Community assistance, encouragement,and advice for using Fedora.
Subject: Re: F9 DOS attack


Dave Feustel wrote:
> On Wed, Nov 26, 2008 at 05:30:09AM -0800, bruce wrote:
>> hi dave...
>>
>> just saw this thread. are you running a static ip on your external
internet
>> connection. if you aren't, you could simply force the cable modem to
reset
>> to another ip address..
>
> I tried reseting the cable modem but I'm not sure it changes my ip
> address.
>
>> you might have to work with comcast tech support to accomplish this. (get
a
>> 2nd/3rd level guy who actually knows/wants to help you out)
>
> I'm going to try to talk with them about this tomorrow.
>
>> if you've already done this, has it managed to slow the offender down?
>
> No. But the attack had ceased when I got up this morning.
>
>> do you have a router connected to the cable modem? does it log the ip
>> addresses of the offending client?
>
> I use pf with a block all incoming rule. I don't see any traffic with
> pftop, but I saw a lot of incoming packets by observing the leds on my
> cable modem. It's pretty clear to me that both F9 and Suse11 are
> vulnerable to attack from the internet. I'm starting to get very
> interested in linux security and preventing dos attacks.

ANYTHING connected to the internet is vulnerable to attack, be it SYN
floods, brute force SSH attempts, any number of others.  Wait till you
get a DC++ attack!  The only way to block that sucker is to do a deep
packet inspection of the payload and drop the connections or find the
hub that has you listed and kill it somehow.

It's totally irrelevant what OS you run, it's an attack against the
interface.  Different OSes handle it differently.  It's best to have a
hardware firewall out front, but then internal software firewalls like
iptables are your second level of defense.  Next is making sure only
the network "listeners" you NEED are enabled.  I manage a network
that seems to have a big, red target painted on it.  I deal with this
all the time.  Thank goodness for our Cisco, Foundry and Radware gear
out front!  They block most of it, the rest we deal with via iptables
and we monitor EVERYTHING (my cell phone has almost melted on occasion
from the SMS text alerts when a DOS is attempted).

As to your problem, Comcast's first level techs (and I'm being generous
using that term) are notoriously crappy as far as solving problems.
They're not much more than telemarketers and work off a script. Ask them
something off script and they're at sea.  Can't say Time Warner is much
better.  One problem I had with them:

Me: "I'm not getting a DHCP address from you, your DHCP servers are down."
Them: "Which OS?"
Me: "Linux."
Them: "Oh, we don't support Linux."
Me: "DHCP is DHCP you twit.  The OS has nothing to do with it!  Let me
talk to a level 3 tech."
(this went on for about five minutes, I threatened dire vengeance,
then I got a level 3 guy [skipped level 2, they're idiots, too])
Level3Guy: "What's the problem?"
Me: "You're not giving out DHCP addresses.  Your servers are down."
L3G: "I don't think so."
Me: "Dude, I'm watching a tcpdump of it.  I'm sending requests and
you're not answering.  No denials, no responses, nada."
L3G: "Let me check."
(long pause)
L3G: "Yeah, six of them crashed."
Me: "You don't monitor that sort of thing?"
L3G: "Uh, guess not."
Me: "ARRRRRRGGGGGHHHHHHH!"

----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks nerd com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-               If the enemy's in range...so are you!                -
----------------------------------------------------------------------

--
fedora-list mailing list
fedora-list redhat com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]