Thanks for the response.
The issue is not one of "can the firewall stop this" because many firewalls, even low
end software based versions like Black Ice now include a syn proxy agent. This issue
is more of link saturation. This is a hybrid attack: high bandwidth AND syn packet
reorganization. Protecting your server is the part that a firewall will help with.
Protecting the link and edge router is the other, and can only be done at the upstream
infrastructure level. The point is that these types of packets are spoofed so you
can't simply "drop the offending ip" due to the IP header spoofing: you can't even
find out what IP the attack is coming from. So all you can do is have the upstream
block access to the port and IP being attacked(to free up the bandwidth). If this is
a critical port, you are down.
-----Original Message-----
From: Roger Heath [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 20, 2003 5:26 PM
To: Don Schreiner
Subject: Re[2]: [IMail Forum] syn flood, Imail and service providers.
Reply to: Don Schreiner
Re: [IMail Forum] syn flood, Imail and service providers. on Monday 7:12:07 PM
We have seen this regularly block this kind of attack here even
on most of our web servers so it handles this attack quite nicely.
--
Roger Heath
[EMAIL PROTECTED]
www.rleeheath.com
----- Copy of Original Message(s): -----
D> I recently (per the suggestion of Roger on this list) tested ISS
D> BlackIce on one of our utility servers and then installed their server
D> version. What an eye opener to the hacks hitting our servers. I have
D> installed on all now. It is not a cure all but has certainly helped. And
D> can auto-block certain attacks. To understand the .ini files I finally
D> found out you must review their older documentation version 2.9 to get a
D> complete picture. I am not so sure it will help with syn or ping flood
D> as described - but think it worth the investment for helping with
D> inbound security. There are some bad write ups about it from Steve
D> Gibson (well deserved BTW) whereas they appeared to have deliberately
D> bypassed his popular leak test, however if you understand the product
D> for what it does and does not do - then you are OK. I like it for our
D> servers and am also a Zone Alarm Pro user too - but prefer that for
D> workstations.
D> -Don S.
D> -----Original Message-----
D> From: [EMAIL PROTECTED]
D> [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Heath
D> Sent: Monday, January 20, 2003 6:39 PM
D> To: Dave Marchette
D> Subject: Re: [IMail Forum] syn flood, Imail and service providers.
D> Reply to: Dave Marchette
D> Re: [IMail Forum] syn flood, Imail and service providers. on
D> Monday 5:12:02 PM
D> Yes. I would not run Imail without ISS Real Secure or the original
D> Black Ice Server protection. It can block library attacks and almost
D> all common server attacks automatically.
D> It's not very expensive either. See:
D> http://blackice.iss.net/product_server_protection.php
D> --
D> Roger Heath
D> [EMAIL PROTECTED]
D> www.rleeheath.com
--
ActivatorMail(tm) ver.122102 Scanned for all viruses by
www.activatormail.com intelligent anti-virus anti-spam service
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
