hey rick... are you the same rick, who used to work with a company in san mateo.. that used to deal with akamai... -----Original Message----- From: fedora-list-bounces@xxxxxxxxxx [mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Rick Stevens Sent: Wednesday, November 26, 2008 10:18 AM To: Community assistance, encouragement,and advice for using Fedora. Subject: Re: F9 DOS attack Dave Feustel wrote: > On Wed, Nov 26, 2008 at 05:30:09AM -0800, bruce wrote: >> hi dave... >> >> just saw this thread. are you running a static ip on your external internet >> connection. if you aren't, you could simply force the cable modem to reset >> to another ip address.. > > I tried reseting the cable modem but I'm not sure it changes my ip > address. > >> you might have to work with comcast tech support to accomplish this. (get a >> 2nd/3rd level guy who actually knows/wants to help you out) > > I'm going to try to talk with them about this tomorrow. > >> if you've already done this, has it managed to slow the offender down? > > No. But the attack had ceased when I got up this morning. > >> do you have a router connected to the cable modem? does it log the ip >> addresses of the offending client? > > I use pf with a block all incoming rule. I don't see any traffic with > pftop, but I saw a lot of incoming packets by observing the leds on my > cable modem. It's pretty clear to me that both F9 and Suse11 are > vulnerable to attack from the internet. I'm starting to get very > interested in linux security and preventing dos attacks. ANYTHING connected to the internet is vulnerable to attack, be it SYN floods, brute force SSH attempts, any number of others. Wait till you get a DC++ attack! The only way to block that sucker is to do a deep packet inspection of the payload and drop the connections or find the hub that has you listed and kill it somehow. It's totally irrelevant what OS you run, it's an attack against the interface. Different OSes handle it differently. It's best to have a hardware firewall out front, but then internal software firewalls like iptables are your second level of defense. Next is making sure only the network "listeners" you NEED are enabled. I manage a network that seems to have a big, red target painted on it. I deal with this all the time. Thank goodness for our Cisco, Foundry and Radware gear out front! They block most of it, the rest we deal with via iptables and we monitor EVERYTHING (my cell phone has almost melted on occasion from the SMS text alerts when a DOS is attempted). As to your problem, Comcast's first level techs (and I'm being generous using that term) are notoriously crappy as far as solving problems. They're not much more than telemarketers and work off a script. Ask them something off script and they're at sea. Can't say Time Warner is much better. One problem I had with them: Me: "I'm not getting a DHCP address from you, your DHCP servers are down." Them: "Which OS?" Me: "Linux." Them: "Oh, we don't support Linux." Me: "DHCP is DHCP you twit. The OS has nothing to do with it! Let me talk to a level 3 tech." (this went on for about five minutes, I threatened dire vengeance, then I got a level 3 guy [skipped level 2, they're idiots, too]) Level3Guy: "What's the problem?" Me: "You're not giving out DHCP addresses. Your servers are down." L3G: "I don't think so." Me: "Dude, I'm watching a tcpdump of it. I'm sending requests and you're not answering. No denials, no responses, nada." L3G: "Let me check." (long pause) L3G: "Yeah, six of them crashed." Me: "You don't monitor that sort of thing?" L3G: "Uh, guess not." Me: "ARRRRRRGGGGGHHHHHHH!" ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer ricks@xxxxxxxx - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - If the enemy's in range...so are you! - ---------------------------------------------------------------------- -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
