-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
DDOS, whence the attacker flood you with more packets then your pipe<s>
can handle leaves you at pretty much the mercy of the attacker. No
different the plumbing if a one inch pipe is fed by a 5 inch pipe, the one
inch pipe is filled to more then is can push forth. Upstream providers
might beable to provide some assitance in limiting the flood, but if the
aggregate bandwidth of the attacking pipe<s> are again larger then the
upstream SOL is the case.
Thanks,
Ron DuFresne
On Wed, 7 Jun 2006, Jeho Park wrote:
Alberto Ferrer wrote:
¿So its impossible stop a DDoS ? (SYN Flood in my case.)
if you limit DDos to the TCP SYN flood, you may be right
but there are so many DDos patterns not based TCP..
so if you make enable tcp_sync_cookies flag of your kernel, you can protect
TCP sync attack,
but as time goes on, your system and network will be stoped. so that solution
can't solve the problem basically
( please refer to the "sietse van zanen"'s post and
http://www2.laas.fr/METROSEC/attacks-taxonomy-SAR2005.pdf )
in the DDOS problem, i think QoS or my idea dropping any flooding packet in
NIC driver layer may give a more general solution than IP-based netfilter.
there are so many paper to solve this DDos, but as i know there is none exact
solution to resolve this DDos exactly.
2006/6/6, Jeho Park <jhpark-nf-user@xxxxxxxxxxxxxxxxx>:
Sietse van Zanen wrote:
>There's not really very much you can do about DDOS attacks with netfilter
alone. You can block the traffic ofcourse, or try to fiddle with --limit,
or tcp_syn_cookies.
>
>
i think as a attacker try to send more and more sync packets, router
will lose cpu time and system resource .. even if tcp_syn_cookies
function is active or not. the reason i think like this is that i heard
tcp_syn_cookies
can't stop router being slow..
in this DDOS attaction problem, i suggest as NIC driver module detects
packet flooding, DOS attack and block or
ignore the packet which is sent from the attacker. we can protect out
network backlog safely and there will be no network soft irq ..
a few week later, i will try to test my idea.
i will use detection engine i made 3 year ago (
http://sourceforge.net/projects/geto )
as a result, i can't sure my idea is right. so i try to test that.
>But usually the problem is that the amount of traffic just fills your
entire Internet connecection, which renders it useless. The only thing you
can do in such a situation is ask yout ISP to block the attack upstream.
>And often, ISPs are very unhappy about customers being DDOS-ed.
>
>-Sietse
>
>-----Original Message-----
>From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Alberto Ferrer
>Sent: Saturday, June 03, 2006 10:33 PM
>To: netfilter@xxxxxxxxxxxxxxxxxxx
>Subject: How stop DoS and SYN attack..
>
>¿any know a way to stop via Linux with iptables or related a SYN attack ?
>¿where i can read something related to this?
>
>Thanks in advance.
>
>P.S: sorry for my bad english :D
>--
>Alberto Ferrer
>
>
>
>
>
>
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEhcKlst+vzJSwZikRAi5LAJ9opjo/1eY+E7f2qMMcq2HngOvHbgCfSxh+
FOAn6Zu6gKPUXe44jaKYEOo=
=j8h6
-----END PGP SIGNATURE-----
