Date: Fri, 10 Jan 2003 01:18:07 -0800 (PST) From: Josh Brooks <user@mail.econolodgetulsa.com> To: "."@babolo.ru Cc: freebsd-net@freebsd.org Subject: Re: What is my next step as a script kiddie ? (DDoS) Message-ID: <20030110011642.O78856-100000@mail.econolodgetulsa.com> In-Reply-To: <1042154753.510477.852.nullmailer@cicuta.babolo.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
My goal is to protect my FreeBSD firewall. As I mentioned, now that I have closed off everything to the victim except the ports he is actually running services on, everything is great! The firewall is just fine - even during a big syn flood, because it just drops all the packets that aren't going to legitimate ports. So my question is, what will they do next ? When they nmap the victim and they see all the ports are closed, what will they move to then ? On Fri, 10 Jan 2003 .@babolo.ru wrote: > > With the help of people in this group I have largely solved my problems - > > by simply placing in rules to drop all packets except the ones going to > > ports/services that are actually in use on the destination, I have found > > that even during a large attack (the kinds that used to cripple me) I have > > no problems at all - a lot of packets simply get dropped and that's that. > > > > But, I am concerned ... I am concerned that the attacks will simply > > change/escalate to something else. > > > > If I were a script kiddie, and I suddenly saw that all of my garbage > > packets to nonexistent ports were suddenly being dropped, and say I nmap'd > > the thing and saw that those ports were closed - what would my next step > > be ? Prior to this the attacks were very simply a big SYN flood to random > > ports on the victim, and because of the RSTs etc., all this traffic to > > nonexistent ports flooded the firewall off. > > > > So what do they do next ? What is the next step ? The next level of > > sophistication to get around the measures I have put into place (that have > > been very successful - I have an attack ongoing as I write this, and it > > isn't hurting me at all) > > > > ------- > > > > I am hoping that the answer is "same attack, but bigger - more bandwidth, > > in an attempt to saturate your pipe" because the victims ae low profile > > enough that it is unlikely enough people could pool enough resources to > > make this happen. But then again, maybe there is something sophisticated > > that a small attacker could do - and that is what I am trying to figure > > out and prevent before it happens. > What is your goal? > To protect your router or to protect your client? > This is a big difference. > And may be police is best way for both > in long term. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030110011642.O78856-100000>