I recently (per the suggestion of Roger on this list) tested ISS BlackIce on one of our utility servers and then installed their server version. What an eye opener to the hacks hitting our servers. I have installed on all now. It is not a cure all but has certainly helped. And can auto-block certain attacks. To understand the .ini files I finally found out you must review their older documentation version 2.9 to get a complete picture. I am not so sure it will help with syn or ping flood as described - but think it worth the investment for helping with inbound security. There are some bad write ups about it from Steve Gibson (well deserved BTW) whereas they appeared to have deliberately bypassed his popular leak test, however if you understand the product for what it does and does not do - then you are OK. I like it for our servers and am also a Zone Alarm Pro user too - but prefer that for workstations.
-Don S. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Heath Sent: Monday, January 20, 2003 6:39 PM To: Dave Marchette Subject: Re: [IMail Forum] syn flood, Imail and service providers. Reply to: Dave Marchette Re: [IMail Forum] syn flood, Imail and service providers. on Monday 5:12:02 PM Yes. I would not run Imail without ISS Real Secure or the original Black Ice Server protection. It can block library attacks and almost all common server attacks automatically. It's not very expensive either. See: http://blackice.iss.net/product_server_protection.php -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com ----- Copy of Original Message(s): ----- D> Greetings all, D> Has anyone had this happen yet? D> During a Syn flood attack, an attacker can attempt to saturate your link to\from the Internet by sending spoofed syn packets to your edge router. If the attacker has more bandwidth at his\her D> disposal than you, then the DOS is due to link saturation. In such a case, one's only defense is to contact the upstream service provider (at&t, Sprint or whoever you use) and ask them to filter D> requests on the port and IP being attacked. This will open the link D> back up to normal traffic on all but the ports being attacked. Syn D> floods last anywhere from several minutes to several weeks, depending D> on how ferocious the attack, and how good the attacker is. Since the nature of these attacks is that the originating IP can be spoofed, there is no reliable way to trace back to the attacker. A firewall can drop the syn packets(if it is capable of syn proxy), protecting your server from the DOS but if your link is saturated, this may not be enough. Imail's web server, specifically, can barely handle a minimal load, much less a well orchestrated syn attack(firewall is absolutely mandatory these days, especially when Imail is in the mix, but it will_not_help if D> your link is saturated by a conversation existing between your router and the attacker). D> If you are running an Imail server (an easily identifiable and high D> probability target) and the attack is on one of your critical ports, like 25, 110, 80, or 443, then you have to call the upstream provider and have them filter on the port being attacked. This means that no one on the internet will be able to hit the ports that are blocked. D> This is becoming a very common attack. Two of our high end 45 meg ds-3 customers were recently attacked in this way. Their ds-3's were saturated by syn packets. By some lucky chance, the D> attack was to ports that were not being used, and because of this it was easy to call the upstream provider and have them block the ports to the IP being attacked, freeing the link from D> saturation. The attack lasted 18 days. D> The question is this: If the attacker sent the syn flood to D> important ports, say 25 and 80, and the only defense was to block access to these ports way up stream, how could you get back online quickly? You could receive mail on your backup mx, but you could not send mail(because the block is bidirectional...you'd have to loop all outgoing mail through another imail server on another D> IP, I suppose) nor could you use pop if the attack was on 110. Has anyone been through this yet and if so, what creative methods did you use to defend yourself? D> Dave -- ActivatorMail(tm) ver.122102 Scanned for all viruses by www.activatormail.com intelligent anti-virus anti-spam service To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ ---------- Scanned by CompBiz for Viruses http://www.CompBiz.Net. Save 15 Percent on Virus Software by visiting http://www.compbiz.net/software_mcafee.cfm for details! To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
