[54866] in North American Network Operators' Group
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
daemon@ATHENA.MIT.EDU (Johannes Ullrich)
Sun Jan 19 09:38:54 2003
Date: Sun, 19 Jan 2003 09:38:10 -0500
From: "Johannes Ullrich" <jullrich@euclidian.com>
To: "Avleen Vig" <lists-nanog@silverwraith.com>
Cc: lists-nanog@silverwraith.com, nanog@trapdoor.merit.edu
X-Qmail-Scanner-Mail-From: jullrich@euclidian.com via server.euclidian.com
In-Reply-To: <20030119055034.T27648@guava.silverwraith.com>
Errors-To: owner-nanog-outgoing@merit.edu
--=.9(Pu:Q1YXu'Fp2
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
> *shrug* just seems like it would make more sense to block all incoming
> 'syn' packets.
> Wouldn't that be faster than inspecting the destination port against two
> seperate rules?
blocking all SYN's will break too much other stuff (Instant Messangers,
games ...). I think we would be much better off if they (consumer ISPs)
would block 135-139 and 445, maybe 21 and 80.
The rest could be handled with a simple IDS (doesn't even need
to match patterns... just count packets going to 27374 and the like)
I keep saying ISPs would be much better off if they implement these
filters. But not all of them agree. IMHO: less 'zombies' -> better
service -> less support phonecalls.
--
--------------------------------------------------------------------
jullrich@euclidian.com Collaborative Intrusion Detection
join http://www.dshield.org
--=.9(Pu:Q1YXu'Fp2
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+KrhVVOIizK5pIDMRAl/AAJ0bCeDHGaM1MBCpTdcz2ctEmuHpdwCZAaD4
p0SyYZS1oPEaAaLiYW9aX1s=
=1Tg+
-----END PGP SIGNATURE-----
--=.9(Pu:Q1YXu'Fp2--
