We have been experiencing what seems like an attack of some sort. The
incoming packets are taking up the full 128k Frame Relay line for 24
hours. They normally take up only 50%.
I am looking for 2 things at this point:
1. A way to detect who's attacking
2. A good packet blocking strategy.
I don't have a firewall. I setup a basic access list but this seems to
have no effect on the attackers. I figure that if they are attacking my
router from a real IP I can just block them however I don't know who
they are.
Thanks,
Eric
"Eric Yellin" <Er...@migvan.co.il> wrote in message
news:3A628E1E...@migvan.co.il...
Good luck
Taigon
CCNA,CCNP
Fergie <fer...@buck.house.com> wrote in message
news:U0y86.3315$65.2...@newsfeeds.bigpond.com...
By the way... Are you sure it isn't a (very big) download from someone in
your organisation? (like a movie or something)
"Jo Soap" <1...@pnp.co.za> wrote in message
news:93uhvb$18rp$1...@nnrp01.ops.uunet.co.za...
> I doubt if this would help you. Firewall feature sets protect you against
> "uninvited guests" entering your network, but I understand this is not the
> case. Someone was utilizing your access-line with some kind of data stream.
> When ever your router is on-line, data will cross the line to your
> router.you can block everything, but the data still crossed the line.
> Blocking an IP address is never a solution. A hacker can think of ten ways
> to get around this. If he is a real enemy, he is probably using a false
> source IP address anyway.
> I'm afraid there's not much you can do against these attackers (but if you
> find him, you know were to stick his router/PC/anything....)
I think your comments fail to take something very important into
account. Some types of floods rely upon secondary effects to do most of
their work. For example, suppose I know of an IP address that's behind a
firewall that returns ICMP 'adminsitratively prohibited' packets when
you send TCP packets to it. I could flood you with spoofed TCP SYNs with
this source address. When your machines reply with a RST, they get back
an ICMP error from the machine with the spoofed source. Thus half the
flood is being caused by your response to the other half of the flood.
In this case, filtering this particular IP address will help you three
ways:
1) It stops you from flooding the other victim.
2) It stops your outbound bandwidth from being wasted by the attack.
3) It stops half the inbound flood, the half your own outbound traffic
was causing.
Your comments are grossly oversimplified and contain numerous unstated
assumptions.
DS