On Tue, Dec 09, 2003 at 09:40:47AM -0700, Michael Gale wrote:
> Hello,
>
> Can you provide more detail on the type of traffic that caused the DOS -- this may help people in the list with suggestions on how to block it :)
>
Yep. It was tcp-connections from the windows box (infected by the worm) to
some network-ranges on the internet. source-port was pretty much random, but
the destination was always 80. So the normal 'allow web browsing' rules
allowed the worm to DoS the linux-firewall.
It just opened the connections all the time, but didn't close them.
> Michael.
>
-- Pasi Kärkkäinen
^
. .
Linux
/ - \
Choice.of.the
.Next.Generation.
