F9 DOS attack

Fred Silsbee fredsilsbee at yahoo.com
Wed Nov 26 18:36:15 UTC 2008 



--- On Wed, 11/26/08, Rick Stevens <ricks at nerd.com> wrote:

> From: Rick Stevens <ricks at nerd.com>
> Subject: Re: F9 DOS attack
> To: "Community assistance, encouragement, and advice for using Fedora." <fedora-list at redhat.com>
> Date: Wednesday, November 26, 2008, 6:18 PM
> Dave Feustel wrote:
> > On Wed, Nov 26, 2008 at 05:30:09AM -0800, bruce wrote:
> >> hi dave...
> >>
> >> just saw this thread. are you running a static ip
> on your external internet
> >> connection. if you aren't, you could simply
> force the cable modem to reset
> >> to another ip address..
> > 
> > I tried reseting the cable modem but I'm not sure
> it changes my ip
> > address.
> >  
> >> you might have to work with comcast tech support
> to accomplish this. (get a
> >> 2nd/3rd level guy who actually knows/wants to help
> you out)
> > 
> > I'm going to try to talk with them about this
> tomorrow.
> >  
> >> if you've already done this, has it managed to
> slow the offender down?
> > 
> > No. But the attack had ceased when I got up this
> morning.
> >  
> >> do you have a router connected to the cable modem?
> does it log the ip
> >> addresses of the offending client?
> > 
> > I use pf with a block all incoming rule. I don't
> see any traffic with
> > pftop, but I saw a lot of incoming packets by
> observing the leds on my
> > cable modem. It's pretty clear to me that both F9
> and Suse11 are
> > vulnerable to attack from the internet. I'm
> starting to get very
> > interested in linux security and preventing dos
> attacks.
> 
> ANYTHING connected to the internet is vulnerable to attack,
> be it SYN
> floods, brute force SSH attempts, any number of others. 
> Wait till you
> get a DC++ attack!  The only way to block that sucker is to
> do a deep
> packet inspection of the payload and drop the connections
> or find the
> hub that has you listed and kill it somehow.
> 
> It's totally irrelevant what OS you run, it's an
> attack against the
> interface.  Different OSes handle it differently.  It's
> best to have a
> hardware firewall out front, but then internal software
> firewalls like
> iptables are your second level of defense.  Next is making
> sure only
> the network "listeners" you NEED are enabled.  I
> manage a network
> that seems to have a big, red target painted on it.  I deal
> with this
> all the time.  Thank goodness for our Cisco, Foundry and
> Radware gear
> out front!  They block most of it, the rest we deal with
> via iptables
> and we monitor EVERYTHING (my cell phone has almost melted
> on occasion
> from the SMS text alerts when a DOS is attempted).
> 
> As to your problem, Comcast's first level techs (and
> I'm being generous
> using that term) are notoriously crappy as far as solving
> problems.
> They're not much more than telemarketers and work off a
> script. Ask them
> something off script and they're at sea.  Can't say
> Time Warner is much
> better.  One problem I had with them:
> 
> Me: "I'm not getting a DHCP address from you, your
> DHCP servers are down."
> Them: "Which OS?"
> Me: "Linux."
> Them: "Oh, we don't support Linux."
> Me: "DHCP is DHCP you twit.  The OS has nothing to do
> with it!  Let me
> talk to a level 3 tech."
> (this went on for about five minutes, I threatened dire
> vengeance,
> then I got a level 3 guy [skipped level 2, they're
> idiots, too])
> Level3Guy: "What's the problem?"
> Me: "You're not giving out DHCP addresses.  Your
> servers are down."
> L3G: "I don't think so."
> Me: "Dude, I'm watching a tcpdump of it.  I'm
> sending requests and
> you're not answering.  No denials, no responses,
> nada."
> L3G: "Let me check."
> (long pause)
> L3G: "Yeah, six of them crashed."
> Me: "You don't monitor that sort of thing?"
> L3G: "Uh, guess not."
> Me: "ARRRRRRGGGGGHHHHHHH!"
> 
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer                     
> ricks at nerd.com -
> - AIM/Skype: therps2        ICQ: 22643734            Yahoo:
> origrps2 -
> -                                                          
>          -
> -               If the enemy's in range...so are you!  
>              -
> ----------------------------------------------------------------------
> 
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe:
> https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines:
> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

refreshing news on the internet a few weeks ago: a big load of spammers and internet attackers headed to prison

Have some compassion now! The problem started with their childhood pottytraining!

Ref: the basement guy in the Deniro/Norton move "The Score"

More information about the users mailing list