OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Automatic Retaliation contra DoS
From: Mikael Olsson (mikael.olssonENTERNET.SE)
Date: Thu May 25 2000 - 07:29:11 CDT


sigippWELLA.COM.BR wrote:
>
> Hi,
>
> My idea was not a retaliation of type attacking your machine. Not even closing
> the door. Simply throttling down (simulating line congestion for the
> attacker). There would be nothing significantly in your firewall logs, or
> even nothing. It would be simply that an increasing percentage of your
> (the attackers) packets will get lost. Nothing more. The maximum you would
> find in your firewall logs is an icmp message of type "host unreachable"
> of some intermediate router.
>

I know I'm late into this thread (haven't been keeping up with my list
subscriptions again. agh) but I feel I have to say this much:

Cutting off someone as a result of a probe, or even decreasing their
throughput, may lead to serious problems. What if I launch a spoofed
attack against you and claim to be a bunch of the top level DNS
servers? (Owie!)

Granted, only doing this if you confirm a full TCP connect reduces
the risks of DoSign yourself. IF your server OS has good sequence
number randomization, of if your firewall provides it for you.

A point of interest: Watchguard blocks "attackers" by default,
and if you disable this "protection", you open yourself up
to DoS since its proxies are WAY over-sensitive without the block.

/Mike

--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-29 92 00         Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se        E-mail: mikael.olssonenternet.se