[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Handling DoS Attacks from within

We are a small ISP using wireless (radio, not cellular) links and have 
been experiencing increasing incidents of DoS (SYN Flood and smurf) 
attacks.  When first encountered, we built and deployed a bridging 
firewall using SuSE 9.1 and Shorewall which does exactly what it is 
designed to do: filter traffic entering or leaving the subnet it protects.

However, the statistics reveal that most of our attacks originate within 
the subnet and not from the outside (internet).  We have been using 
ethereal to capture traffic and, using that to ID the source, cut them off 
only to have the attack resume from another system on the subnet. For 
example, Machine A will syn flood B but it also affects every other user 
on the subnet by consuming bandwidth.  If we shut A off, then shortly, C 
will attack D, etc.

Since most of our customers us M$ systems, we are thinking we have several 
infested with some sort of worm or trojan but it is a daunting task to 
identify the culprit and remedy the situation.

What we have done:
	1. Implement a bridging firewall to protect against attacks from
	   the outside.
	2. Inplement full email filtering using SuSE/Postfix/amavis-new/
	3. Attempt to identify and deal with infested systems
	   (Really the customers' responsibility but ...)

	1. What tools other than ethereal should we use?
	2. Is there any other protective measure we can take to fend
	   off the attacks from within our own networks given that 
	   we do not have total control of the network as a corporate
	   user would?
	3. Are these particular worms or trojans which operate like this?

Any suggestions would be GREATLY appreciated including other lists we 
might frequent.

Thank you,
Lucky Leavell

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here