How stop DoS and SYN attack..
R. DuFresne
dufresne at sysinfo.com
Tue Jun 6 20:00:03 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
DDOS, whence the attacker flood you with more packets then your pipe<s>
can handle leaves you at pretty much the mercy of the attacker. No
different the plumbing if a one inch pipe is fed by a 5 inch pipe, the one
inch pipe is filled to more then is can push forth. Upstream providers
might beable to provide some assitance in limiting the flood, but if the
aggregate bandwidth of the attacking pipe<s> are again larger then the
upstream SOL is the case.
Thanks,
Ron DuFresne
On Wed, 7 Jun 2006, Jeho Park wrote:
> Alberto Ferrer wrote:
>
>> ¿So its impossible stop a DDoS ? (SYN Flood in my case.)
>>
> if you limit DDos to the TCP SYN flood, you may be right
> but there are so many DDos patterns not based TCP..
> so if you make enable tcp_sync_cookies flag of your kernel, you can protect
> TCP sync attack,
> but as time goes on, your system and network will be stoped. so that solution
> can't solve the problem basically
> ( please refer to the "sietse van zanen"'s post and
> http://www2.laas.fr/METROSEC/attacks-taxonomy-SAR2005.pdf )
>
> in the DDOS problem, i think QoS or my idea dropping any flooding packet in
> NIC driver layer may give a more general solution than IP-based netfilter.
> there are so many paper to solve this DDos, but as i know there is none exact
> solution to resolve this DDos exactly.
>>
>> 2006/6/6, Jeho Park <jhpark-nf-user at kernelproject.org>:
>>
>>> Sietse van Zanen wrote:
>>>
>>> >There's not really very much you can do about DDOS attacks with netfilter
>>> alone. You can block the traffic ofcourse, or try to fiddle with --limit,
>>> or tcp_syn_cookies.
>>> >
>>> >
>>> i think as a attacker try to send more and more sync packets, router
>>> will lose cpu time and system resource .. even if tcp_syn_cookies
>>> function is active or not. the reason i think like this is that i heard
>>> tcp_syn_cookies
>>> can't stop router being slow..
>>>
>>> in this DDOS attaction problem, i suggest as NIC driver module detects
>>> packet flooding, DOS attack and block or
>>> ignore the packet which is sent from the attacker. we can protect out
>>> network backlog safely and there will be no network soft irq ..
>>>
>>> a few week later, i will try to test my idea.
>>> i will use detection engine i made 3 year ago (
>>> http://sourceforge.net/projects/geto )
>>> as a result, i can't sure my idea is right. so i try to test that.
>>>
>>> >But usually the problem is that the amount of traffic just fills your
>>> entire Internet connecection, which renders it useless. The only thing you
>>> can do in such a situation is ask yout ISP to block the attack upstream.
>>> >And often, ISPs are very unhappy about customers being DDOS-ed.
>>> >
>>> >-Sietse
>>> >
>>> >-----Original Message-----
>>> >From: netfilter-bounces at lists.netfilter.org
>>> [mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of Alberto Ferrer
>>> >Sent: Saturday, June 03, 2006 10:33 PM
>>> >To: netfilter at lists.netfilter.org
>>> >Subject: How stop DoS and SYN attack..
>>> >
>>> >¿any know a way to stop via Linux with iptables or related a SYN attack ?
>>> >¿where i can read something related to this?
>>> >
>>> >Thanks in advance.
>>> >
>>> >P.S: sorry for my bad english :D
>>> >--
>>> >Alberto Ferrer
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>>
>>>
>>
>>
>
>
>
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEhcKlst+vzJSwZikRAi5LAJ9opjo/1eY+E7f2qMMcq2HngOvHbgCfSxh+
FOAn6Zu6gKPUXe44jaKYEOo=
=j8h6
-----END PGP SIGNATURE-----
More information about the netfilter
mailing list