Greetings all,
Has anyone had this happen yet?
During a Syn flood attack, an attacker can attempt to saturate your link to\from the
Internet by sending spoofed syn packets to your edge router. If the attacker has more
bandwidth at his\her disposal than you, then the DOS is due to link saturation. In
such a case, one's only defense is to contact the upstream service provider (at&t,
Sprint or whoever you use) and ask them to filter requests on the port and IP being
attacked. This will open the link back up to normal traffic on all but the ports
being attacked. Syn floods last anywhere from several minutes to several weeks,
depending on how ferocious the attack, and how good the attacker is. Since the nature
of these attacks is that the originating IP can be spoofed, there is no reliable way
to trace back to the attacker. A firewall can drop the syn packets(if it is capable
of syn proxy), protecting your server from the DOS but if your link is saturated, this
may not be enough. Imail's web server, specifically, can barely handle a minimal
load, much less a well orchestrated syn attack(firewall is absolutely mandatory these
days, especially when Imail is in the mix, but it will_not_help if your link is
saturated by a conversation existing between your router and the attacker).
If you are running an Imail server (an easily identifiable and high probability
target) and the attack is on one of your critical ports, like 25, 110, 80, or 443,
then you have to call the upstream provider and have them filter on the port being
attacked. This means that no one on the internet will be able to hit the ports that
are blocked.
This is becoming a very common attack. Two of our high end 45 meg ds-3 customers were
recently attacked in this way. Their ds-3's were saturated by syn packets. By some
lucky chance, the attack was to ports that were not being used, and because of this it
was easy to call the upstream provider and have them block the ports to the IP being
attacked, freeing the link from saturation. The attack lasted 18 days.
The question is this: If the attacker sent the syn flood to important ports, say 25
and 80, and the only defense was to block access to these ports way up stream, how
could you get back online quickly? You could receive mail on your backup mx, but you
could not send mail(because the block is bidirectional...you'd have to loop all
outgoing mail through another imail server on another IP, I suppose) nor could you use
pop if the attack was on 110. Has anyone been through this yet and if so, what
creative methods did you use to defend yourself?
Dave
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
