Hello
I would be much better to fight the root cause and force every isp in the world to block forged packets. For example with unified reverse path checks facing the customers. Ok, I'm just kidding ...
Unfortunately there is no direct benefit for the implementing isp's because it helps all others. But we can start in the "SWINOG" community and make it better.
Maybe we can talk about this on our next meeting ? Because I think the amount of dos attacks are increasing. After the last two presentations about Netflow capturing I guess SWITCH has the space and the cluster to calculate some numbers ;-)
What do you think about an open discussion on the next meeting.
Regards Erich
Am Freitag, den 11.04.2008, 16:56 +0200 schrieb Schenkel Martin:
Well, the only good solution to this ugly attack is to do what Goetz suggested; As an ISP inbound filter the offending IP address. This is what we did several hours ago and all is fine since then.
Firewalls of all type of models have/had issues with this attack. On some you might be able to turn on a SYN flood attack feature which will then blacklist the IP locally on the firewall.
Martin
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog- bounces@lists.swinog.ch] On Behalf Of Olivier Mueller Sent: Freitag, 11. April 2008 16:05 To: swinog@swinog.ch Subject: Re: [swinog] fw change on bluewin adsl accounts today?
re,
On Fri, 2008-04-11 at 15:16 +0200, Erich Hohermuth wrote:
We also have a few customers complaining about connection troubles, most of them have a Zywal. After some netflow debugging we see many port 80 syn connections which seems the cause of the troubles.
Thanks for the feedback Erich! In the mean time, the Bluewin hot-line called back (yes, I know, I couldn't believe it either :-)) but they had no special information: they just confirmed nothing happened this night about the setup.
Asking on #swinog (irc) helped a bit more: it seems some other people had the same problem, and as a solution the suggestion was: "if you do NAT on Zyxel router please consider to close port 80 or block the IP 212.224.127.14" (thx Claudio).
I did that on the routers (by luck a good old isdn-based dial-in was available everywhere), and now everything looks stable. To be continued... ?
regards, Olivier
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog