[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[suse-security] Handling DoS Attacks from within
We are a small ISP using wireless (radio, not cellular) links and have
been experiencing increasing incidents of DoS (SYN Flood and smurf)
attacks. When first encountered, we built and deployed a bridging
firewall using SuSE 9.1 and Shorewall which does exactly what it is
designed to do: filter traffic entering or leaving the subnet it protects.
However, the statistics reveal that most of our attacks originate within
the subnet and not from the outside (internet). We have been using
ethereal to capture traffic and, using that to ID the source, cut them off
only to have the attack resume from another system on the subnet. For
example, Machine A will syn flood B but it also affects every other user
on the subnet by consuming bandwidth. If we shut A off, then shortly, C
will attack D, etc.
Since most of our customers us M$ systems, we are thinking we have several
infested with some sort of worm or trojan but it is a daunting task to
identify the culprit and remedy the situation.
What we have done:
1. Implement a bridging firewall to protect against attacks from
2. Inplement full email filtering using SuSE/Postfix/amavis-new/
3. Attempt to identify and deal with infested systems
(Really the customers' responsibility but ...)
1. What tools other than ethereal should we use?
2. Is there any other protective measure we can take to fend
off the attacks from within our own networks given that
we do not have total control of the network as a corporate
3. Are these particular worms or trojans which operate like this?
Any suggestions would be GREATLY appreciated including other lists we
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here