Well, the only good solution to this ugly attack is to do what Goetz suggested; As an ISP inbound filter the offending IP address. This is what we did several hours ago and all is fine since then.
Firewalls of all type of models have/had issues with this attack. On some you might be able to turn on a SYN flood attack feature which will then blacklist the IP locally on the firewall.
Martin
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog- bounces@lists.swinog.ch] On Behalf Of Olivier Mueller Sent: Freitag, 11. April 2008 16:05 To: swinog@swinog.ch Subject: Re: [swinog] fw change on bluewin adsl accounts today?
re,
On Fri, 2008-04-11 at 15:16 +0200, Erich Hohermuth wrote:
We also have a few customers complaining about connection troubles, most of them have a Zywal. After some netflow debugging we see many port 80 syn connections which seems the cause of the troubles.
Thanks for the feedback Erich! In the mean time, the Bluewin hot-line called back (yes, I know, I couldn't believe it either :-)) but they had no special information: they just confirmed nothing happened this night about the setup.
Asking on #swinog (irc) helped a bit more: it seems some other people had the same problem, and as a solution the suggestion was: "if you do NAT on Zyxel router please consider to close port 80 or block the IP 212.224.127.14" (thx Claudio).
I did that on the routers (by luck a good old isdn-based dial-in was available everywhere), and now everything looks stable. To be continued... ?
regards, Olivier
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog