Date: Sun, 12 Jan 2003 03:39:09 +0300 (MSK) From: "."@babolo.ru To: Richard A Steenbergen <ras@e-gerbil.net> Cc: Josh Brooks <user@mail.econolodgetulsa.com>, freebsd-net@FreeBSD.ORG Subject: Re: What is my next step as a script kiddie ? (DDoS) Message-ID: <1042331949.784310.69034.nullmailer@cicuta.babolo.ru> In-Reply-To: <20030111221848.GG78231@overlord.e-gerbil.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Thu, Jan 09, 2003 at 10:21:52AM -0800, Josh Brooks wrote: > > > > But, I am concerned ... I am concerned that the attacks will simply > > change/escalate to something else. > > > > If I were a script kiddie, and I suddenly saw that all of my garbage > > packets to nonexistent ports were suddenly being dropped, and say I nmap'd > > the thing and saw that those ports were closed - what would my next step > > be ? Prior to this the attacks were very simply a big SYN flood to random > > ports on the victim, and because of the RSTs etc., all this traffic to > > nonexistent ports flooded the firewall off. > > > > So what do they do next ? What is the next step ? The next level of > > sophistication to get around the measures I have put into place (that have > > been very successful - I have an attack ongoing as I write this, and it > > isn't hurting me at all) > > You're very right, thats exactly what they will do. Many frequent DoS > victims find it easier to leave open a hole so they can die easily, rather > than risk the attacks escalating and taking out other parts of the network > or services, other customers, etc. > > Obviously the next step would be for them to move to SYN flooding only the > ports of the service they are trying to kill, rather than random ports (if > they were smart or motivated by anything other than "I'll keep changing > numbers until they go down again" they would be doing that already). The > next step would be ACK floods so you can't even keep already established > flows up during the attack (though if its a quick connect/disconnect > service like http it wouldn't matter). The next step would be attacking > the routers near the victim... Etc etc etc. Don't panic. This is headache of his upstrim provider or his client under attack. His goal - as stated in question - to protect router - is solveable But you are right - global problem is not solveable that easy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1042331949.784310.69034.nullmailer>