Date: Sat, 11 Jan 2003 17:18:48 -0500 From: Richard A Steenbergen <ras@e-gerbil.net> To: Josh Brooks <user@mail.econolodgetulsa.com> Cc: freebsd-net@FreeBSD.ORG Subject: Re: What is my next step as a script kiddie ? (DDoS) Message-ID: <20030111221848.GG78231@overlord.e-gerbil.net> In-Reply-To: <20030109101652.E78856-100000@mail.econolodgetulsa.com> References: <20030109101652.E78856-100000@mail.econolodgetulsa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 09, 2003 at 10:21:52AM -0800, Josh Brooks wrote: > > But, I am concerned ... I am concerned that the attacks will simply > change/escalate to something else. > > If I were a script kiddie, and I suddenly saw that all of my garbage > packets to nonexistent ports were suddenly being dropped, and say I nmap'd > the thing and saw that those ports were closed - what would my next step > be ? Prior to this the attacks were very simply a big SYN flood to random > ports on the victim, and because of the RSTs etc., all this traffic to > nonexistent ports flooded the firewall off. > > So what do they do next ? What is the next step ? The next level of > sophistication to get around the measures I have put into place (that have > been very successful - I have an attack ongoing as I write this, and it > isn't hurting me at all) You're very right, thats exactly what they will do. Many frequent DoS victims find it easier to leave open a hole so they can die easily, rather than risk the attacks escalating and taking out other parts of the network or services, other customers, etc. Obviously the next step would be for them to move to SYN flooding only the ports of the service they are trying to kill, rather than random ports (if they were smart or motivated by anything other than "I'll keep changing numbers until they go down again" they would be doing that already). The next step would be ACK floods so you can't even keep already established flows up during the attack (though if its a quick connect/disconnect service like http it wouldn't matter). The next step would be attacking the routers near the victim... Etc etc etc. But I think you're now going outside the scope and expertise of this mailing list. :) -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030111221848.GG78231>