From owner-freebsd-questions Fri Jan 16 04:50:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA11064 for questions-outgoing; Fri, 16 Jan 1998 04:50:56 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: (from jmb@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA11058; Fri, 16 Jan 1998 04:50:51 -0800 (PST) (envelope-from jmb) From: "Jonathan M. Bresler" Message-Id: <199801161250.EAA11058@hub.freebsd.org> Subject: Re: DoS In-Reply-To: <199801160336.WAA18362@www.delanet.com> from Stephen Comoletti at "Nov 16, 97 10:35:03 am" To: rugose@delanet.com (Stephen Comoletti) Date: Fri, 16 Jan 1998 04:50:49 -0800 (PST) Cc: freebsd-questions@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk Stephen Comoletti wrote: > I have a situation I need a little advice on. I'm not sure if it belongs > here, however it does affect users of FreeBSD as well from what little I do > know. > > Ok..here is the setup. ISP with 2 cisco routers, both communicate between > eachother on a regular basis. They use radius for authentication. The isp if the attack is coming from the outside, filter deny all packets from the outside whose source address matches any of your networks (you should do this anyway). i presume that the tow routers talk to each other using inside addresses ;) if from the inside, track him down and ........ jmb > is under attack by a modified smurf. It has all the symptoms of a smurf but > it's comming in via udp and not icmp. to complicate it, the attacker is > spoofing the ip of each router and hitting them at the same time, changing > the port each time the isp kills input from one. > > Is there any way to defend/track down/stop an attack of this type? > > Steve >