> On Thu, Jan 09, 2003 at 10:21:52AM -0800, Josh Brooks wrote: > > > > But, I am concerned ... I am concerned that the attacks will simply > > change/escalate to something else. > > > > If I were a script kiddie, and I suddenly saw that all of my garbage > > packets to nonexistent ports were suddenly being dropped, and say I nmap'd > > the thing and saw that those ports were closed - what would my next step > > be ? Prior to this the attacks were very simply a big SYN flood to random > > ports on the victim, and because of the RSTs etc., all this traffic to > > nonexistent ports flooded the firewall off. > > > > So what do they do next ? What is the next step ? The next level of > > sophistication to get around the measures I have put into place (that have > > been very successful - I have an attack ongoing as I write this, and it > > isn't hurting me at all) > > You're very right, thats exactly what they will do. Many frequent DoS > victims find it easier to leave open a hole so they can die easily, rather > than risk the attacks escalating and taking out other parts of the network > or services, other customers, etc. > > Obviously the next step would be for them to move to SYN flooding only the > ports of the service they are trying to kill, rather than random ports (if > they were smart or motivated by anything other than "I'll keep changing > numbers until they go down again" they would be doing that already). The > next step would be ACK floods so you can't even keep already established > flows up during the attack (though if its a quick connect/disconnect > service like http it wouldn't matter). The next step would be attacking > the routers near the victim... Etc etc etc. Don't panic. This is headache of his upstrim provider or his client under attack. His goal - as stated in question - to protect router - is solveable
But you are right - global problem is not solveable that easy To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
