Thanks for your help - two last questions regarding this: 1. On a FreeBSD router/firewall, does it take more processing power to respond to (and reset) a SYN to a target IP:port that is nonexistent than it does to respond to a target IP:port that is in heavy use ?
that is, is there some caching mechanism in use that makes incoming DoS packets to _already busy_ IP:ports "cost less" in terms of processor than SYN packets to IP:ports that don't exist ? Just curious. 2. If this is getting beyond the scope of this list, what list should I move to ? I have been reading through NANOG archives, and any DoS discussion there just seems to degenerate into "it is/is not your fault since you run IRC, which is/is not a legitimate service" thanks - and thanks for the pointer to your document which I am reading and re-reading. On Sat, 11 Jan 2003, Richard A Steenbergen wrote: > On Thu, Jan 09, 2003 at 10:21:52AM -0800, Josh Brooks wrote: > > > > But, I am concerned ... I am concerned that the attacks will simply > > change/escalate to something else. > > > > If I were a script kiddie, and I suddenly saw that all of my garbage > > packets to nonexistent ports were suddenly being dropped, and say I nmap'd > > the thing and saw that those ports were closed - what would my next step > > be ? Prior to this the attacks were very simply a big SYN flood to random > > ports on the victim, and because of the RSTs etc., all this traffic to > > nonexistent ports flooded the firewall off. > > > > So what do they do next ? What is the next step ? The next level of > > sophistication to get around the measures I have put into place (that have > > been very successful - I have an attack ongoing as I write this, and it > > isn't hurting me at all) > > You're very right, thats exactly what they will do. Many frequent DoS > victims find it easier to leave open a hole so they can die easily, rather > than risk the attacks escalating and taking out other parts of the network > or services, other customers, etc. > > Obviously the next step would be for them to move to SYN flooding only the > ports of the service they are trying to kill, rather than random ports (if > they were smart or motivated by anything other than "I'll keep changing > numbers until they go down again" they would be doing that already). The > next step would be ACK floods so you can't even keep already established > flows up during the attack (though if its a quick connect/disconnect > service like http it wouldn't matter). The next step would be attacking > the routers near the victim... Etc etc etc. > > But I think you're now going outside the scope and expertise of this > mailing list. :) > > -- > Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras > GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
