Reply to: Dave Marchette
Re: [IMail Forum] syn flood, Imail and service providers. on Monday 8:19:56 PM
ISS must have some viable method to approach this. We do see it
halted. Perhaps they shut off that Winsock link specifically or
something along those lines without being concerned about IP. We will
see it block and there are no reappearances of other connections
afterwards. We have no idea how it is done, but it does appear to
work.
--
Roger Heath
[EMAIL PROTECTED]
www.rleeheath.com
----- Copy of Original Message(s): -----
D> Thanks for the response.
D> The issue is not one of "can the firewall stop this" because many firewalls, even
low end software based versions like Black Ice now include a syn proxy agent. This
issue is more of link
D> saturation. This is a hybrid attack: high bandwidth AND syn packet
reorganization. Protecting your server is the part that a firewall will help with.
Protecting the link and edge router is the
D> other, and can only be done at the upstream infrastructure level. The point is
that these types of packets are spoofed so you can't simply "drop the offending ip"
due to the IP header spoofing:
D> you can't even find out what IP the attack is coming from. So all you can do is
have the upstream block access to the port and IP being attacked(to free up the
bandwidth). If this is a critical
D> port, you are down.
D> -----Original Message-----
D> From: Roger Heath [mailto:[EMAIL PROTECTED]]
D> Sent: Monday, January 20, 2003 5:26 PM
D> To: Don Schreiner
D> Subject: Re[2]: [IMail Forum] syn flood, Imail and service providers.
D> Reply to: Don Schreiner
D> Re: [IMail Forum] syn flood, Imail and service providers. on Monday 7:12:07 PM
D> We have seen this regularly block this kind of attack here even
D> on most of our web servers so it handles this attack quite nicely.
D> --
D> Roger Heath
D> [EMAIL PROTECTED]
D> www.rleeheath.com
D> ----- Copy of Original Message(s): -----
D>> I recently (per the suggestion of Roger on this list) tested ISS
D>> BlackIce on one of our utility servers and then installed their server
D>> version. What an eye opener to the hacks hitting our servers. I have
D>> installed on all now. It is not a cure all but has certainly helped. And
D>> can auto-block certain attacks. To understand the .ini files I finally
D>> found out you must review their older documentation version 2.9 to get a
D>> complete picture. I am not so sure it will help with syn or ping flood
D>> as described - but think it worth the investment for helping with
D>> inbound security. There are some bad write ups about it from Steve
D>> Gibson (well deserved BTW) whereas they appeared to have deliberately
D>> bypassed his popular leak test, however if you understand the product
D>> for what it does and does not do - then you are OK. I like it for our
D>> servers and am also a Zone Alarm Pro user too - but prefer that for
D>> workstations.
D>> -Don S.
D>> -----Original Message-----
D>> From: [EMAIL PROTECTED]
D>> [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Heath
D>> Sent: Monday, January 20, 2003 6:39 PM
D>> To: Dave Marchette
D>> Subject: Re: [IMail Forum] syn flood, Imail and service providers.
D>> Reply to: Dave Marchette
D>> Re: [IMail Forum] syn flood, Imail and service providers. on
D>> Monday 5:12:02 PM
D>> Yes. I would not run Imail without ISS Real Secure or the original
D>> Black Ice Server protection. It can block library attacks and almost
D>> all common server attacks automatically.
D>> It's not very expensive either. See:
D>> http://blackice.iss.net/product_server_protection.php
D>> --
D>> Roger Heath
D>> [EMAIL PROTECTED]
D>> www.rleeheath.com
D> --
D> ActivatorMail(tm) ver.122102 Scanned for all viruses by
D> www.activatormail.com intelligent anti-virus anti-spam service
D> To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
D> List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
D> Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
D> To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
D> List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
D> Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
D> --
D> ActivatorMail(tm) ver.122102 Scanned for all viruses by
D> www.activatormail.com intelligent anti-virus anti-spam service
--
ActivatorMail(tm) ver.122102 Scanned for all viruses by
www.activatormail.com intelligent anti-virus anti-spam service
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
