DOS SYN attack on a large network

Robert Brockway robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org
Tue Aug 12 13:01:38 UTC 2008 

On Tue, 12 Aug 2008, Teddy wrote:

> We have a few hundred Linux boxes.
> We do not have root access to these client boxes.
> (So I cannot secure or "fix them up")

Hi Teddy.  Who does have root access?  Do the boxes have any sysadmins who 
are directly or indirectly responsible for them?

If there are no sysadmins then I'd say there is an organisational problem.

If there are sysadmins then you should complain to them about the DoS of 
course.  If a box under the control of a sysadmin DoSed something else in 
the same company then the sysadmin would probably be hiding in shame after 
fixing it.

> Once in a while, we get a DOS or SYN or some other type of
> attack on our network, that can down the entire network.

Boxes inside your own organisation are DoSing you (!!).

> We have our switches configured correctly. (reverifying again)
>
> One thing I do notice of course is the offending box, starts making
> a tremendous amount of bandwidth. (100Mbits/sec)

What exactly are the boxes doing that a single box can apparently DoS your 
network?  ie what does wireshark say about the traffic?  Is it 
unicast, broadcast or multicast?

Perhaps you need to look at switch upgrades.

> I would like to monitor this, perhaps like:
> 1. If traffic on switch >=30 Mbits for  600 seconds  then fire off an email
> 2. Login to the network to fix it (hopefully before network gets saturated)

Monitoring isn't sufficient IMHO...

> Is there a better way, than just waiting for a DOS SYN attack to occur?

If these boxes are not under your control and sometimes take down your 
boxes they should be considered hostile.  The solution: put a firewall 
between you and them and rate-limit SYN packets from any one source. 
Limit access as much as possible.  This is trivial with a Netfilter 
(Linux, iptables) based firewall.

Having said that, this is a problem which needs to be raised with 
management - at the highest levels if necessary.  If there are no 
sysadmins for these boxes then convince management there needs to be and 
offer the DoSes as proof.

Rob

-- 
"With sufficient thrust, pigs fly just fine..."
 	-- RFC 1925 "The Twelve Networking Truths"
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list