Adam Neat wrote:
> > > does anyone know of a way to easily trace syn flooding, dos, smurf and
> > > other types of traiffc on a network?
> >
> > What do you mean by `trace'? If you want to find where it came from,
> > the answer is that you can't. Attacks which don't require the sender
> > to receive any data can (and therefore do) use a spoofed source
> > address.
> >
> > ICMP-flooding attacks can be logged with icmplogd. There may be
> > something similar for SYN-flooding, but I don't know offhand.
>
> well - it may be part of my personal naivity on Smurfing.
>
> Basically a client of ours who is using Linux (we do to for ethernet
> routers) we believe is getting smurfing or the blunt end of a DOS attack of
> some type.
>
> We want to try and work out how to
>
> a) find out if this is the case
A smurf attack will appear as a vast number of ping replies, with the
packets originating from many hosts within a network, possibly for
multiple networks.
The way that smurf works is that the attacker sends a ping request to
one or more broadcast addresses, using the target's IP address as the
source address. Every host which receives the ping request will reply
to the spoofed source address.
The source addresses of the ping replies which the target receives
will be valid, but these hosts aren't the source of the attack, just
`amplifiers'.
> and
>
> b) if its there, how do stop it.
You could block all ping replies, or (better still), have their ISP
block all ping replies upstream (this will prevent the packets from
saturating their Internet connection). Of course, this would prevent
your client from using ping.
Other than that, you may wish to notify the administrators of the
systems which are being used as `amplifiers'. Ideally they would block
any inbound packets which were sent to the network's broadcast
address.
However, until everyone on the 'net does this, an attacker can just
find other networks which will act as amplifiers.
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
