First let me say this: never let your ISP tell you there is *nothing* they can do. It's a cop-out for one of two reasons: either they are completely unwilling to help because they are afraid that by accepting even a margin of responsibility it will open them up to higher expectations, OR they are completely incompetent. If this is their official stance then threaten to take your business elsewhere. And if they don't respond, then find another ISP. But I digress.
To answer your questions. A firewall in front of your T1 won't matter because if the pipe is flooded, the pipe is flooded. The only way for this to work is if your provider puts a firewall or other filtering device *before* the traffic ever reaches your T1. It doesn't sound like something they are willing to do. If you want to use an alternative T1, that is possible, but you'll have to pay for it from your ISP. I'm assuming that each of your servers has a different IP. Here are some other ideas. Do you have an IDS? If not, get one. It should help in determining exactly what type of DoS it is, as well as possibly helping you determine if the IPs are spoofed or not. For example, if the range of IP addresses are varied and inconsistent, it is likely that the attacker is spoofing. At this point, you will need to ask/force your service provider to start looking at their router logs to physically back-trace the packets to some point of origin. It is tedious, and there are no guarantees that this will work, but if you're a big enough customer, they just might do it for you. Anyway, once they track down the source of the traffic stream they might be able to contact the host and put a stop to it. Chances are that in order for this to work, it will require the assistance of multiple carriers. If the IPs are not spoofed, ask your provider to filter to the IPs at their edge, or if they are on their own network, to contact the host. <rant> It is a popular misconception that their is nothing anyone can do about DoS attacks (or more precisely, DDoS). This misbelief has been propagated since ebay, Yahoo, and others were brought to their knees a few years ago by wide-scale DoS attacks and neither the ISPs nor the consulting firms (security and otherwise) wanted to accept any accountability for what they were warned about for years would happen. While I absolutely agree that their is no single magic bullet that any one group or individual can do to completely stop a DoS (especially a DDoS), there are several steps that can be taken to *mitigate* the damage. This includes egress filtering by ISPs, and companies and end-users doing a better job of locking down their machines so they are not compromised in the first place. Don't allow the myth to propagate any further. If we really want better protection from DoS attacks, then let's start forcing the ISPs to be more responsible for securely configuring and monitoring their network. In today's world of heightened security needs, it is no longer enough for ISPs to simply provide a pipe to the net. It's time they start giving you the service you pay for. </rant> Good luck, Brownfox -----Original Message----- From: Clinton McLeay [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 12, 2002 8:24 AM To: [EMAIL PROTECTED] Subject: Denial of service question. Hello, here's my question for all of you guys and gals.. We have a single T1 line to the Internet that we use to host web pages and such. Lately one of our computers has started getting a LOT of traffic (from random ip's and on different ports, with tcp and udp). The router we have is just a 2500 series Cisco which we DON'T have access to, however the upstream provider will put in rules for us. The denial of service sometimes goes on for a couple of days, and our upstream says that there is *NOTHING* they can do to help us block this, they suggest we set up a firewall, which we HAVE, but its on our side of the T1 router... So if 1.5M is flooding in basically we are out of luck. The question I have is: Is there any way to help this situation? How possible is it for us to put a firewall BEFORE the T1 line to block all of this before it hits our poor little line, or would this even help? I don't know if this would even be possible? Is there some sort of way we can have a fallback line incase this happens, and just move all of our ip addresses over to another t1 while this is happening to this one computer, so its only getting attacked and not EVERY server we have on that line? Any help would be great! -Clinton