> -----Original Message----- > From: Minh Van Le [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, 26 November 2002 11:32 AM > To: [EMAIL PROTECTED] > Subject: [SLUG] I think I'm being DoS'd - What can I do ? > > Is there anything else that I can do apart from early detection or > unplugging the modem to prevent paying excess in the case of > a Denial of Service or syn/ack,icmp flood ? Auto-blocking tools, > slowing down connections ? Should I make a complaint to the source > ISP ? Would PacificNet be willing to block a whole network just for > one customer ([me]; doubt it) ?
Check out "LaBrea" it's a honey-pot kinda thing. Best bit is that it will create connections that cause the attacking hosts to time-out etc. Also look around freshmeat.net - I'm sure I've seen some counter attack packages that will dynamically modify ipchains/iptables in a predictable way to block these bozo's from causing you grief. Also, any ports that you aren't using consider making stealth - i.e., block outgoing packets on those ports. It means that your system will take ages to do a full port scan on (every port will have to time-out before moving to the next one. Well not exactly but it will take longer than if you system sends back 'connection refused' messages). Look into privileged separation for running processes, and setting the stack non-executable. There's plenty of info about this with Linux online (google it). Subscribe to some security lists or Usenet groups and start learning. These twits generally don't launch attacks from their own systems (too "traceable") but will launch them from other systems they have compromised. If your system is secured that's one less machine on the 'net that can cause *me* grief :-) Cheers, James -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
