DOS SYN attack on a large network
Robert Brockway
robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org
Tue Aug 12 13:01:38 UTC 2008
On Tue, 12 Aug 2008, Teddy wrote:
> We have a few hundred Linux boxes.
> We do not have root access to these client boxes.
> (So I cannot secure or "fix them up")
Hi Teddy. Who does have root access? Do the boxes have any sysadmins who
are directly or indirectly responsible for them?
If there are no sysadmins then I'd say there is an organisational problem.
If there are sysadmins then you should complain to them about the DoS of
course. If a box under the control of a sysadmin DoSed something else in
the same company then the sysadmin would probably be hiding in shame after
fixing it.
> Once in a while, we get a DOS or SYN or some other type of
> attack on our network, that can down the entire network.
Boxes inside your own organisation are DoSing you (!!).
> We have our switches configured correctly. (reverifying again)
>
> One thing I do notice of course is the offending box, starts making
> a tremendous amount of bandwidth. (100Mbits/sec)
What exactly are the boxes doing that a single box can apparently DoS your
network? ie what does wireshark say about the traffic? Is it
unicast, broadcast or multicast?
Perhaps you need to look at switch upgrades.
> I would like to monitor this, perhaps like:
> 1. If traffic on switch >=30 Mbits for 600 seconds then fire off an email
> 2. Login to the network to fix it (hopefully before network gets saturated)
Monitoring isn't sufficient IMHO...
> Is there a better way, than just waiting for a DOS SYN attack to occur?
If these boxes are not under your control and sometimes take down your
boxes they should be considered hostile. The solution: put a firewall
between you and them and rate-limit SYN packets from any one source.
Limit access as much as possible. This is trivial with a Netfilter
(Linux, iptables) based firewall.
Having said that, this is a problem which needs to be raised with
management - at the highest levels if necessary. If there are no
sysadmins for these boxes then convince management there needs to be and
offer the DoSes as proof.
Rob
--
"With sufficient thrust, pigs fly just fine..."
-- RFC 1925 "The Twelve Networking Truths"
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list