DNS DDOS
David A. Bandel
david
Mon May 17 11:39:21 PDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 24 Oct 2002 17:01:35 -0400
begin Matthew Carpenter <matt at eisgr.com> spewed forth:
> The sad part about this is that a simple rate-limit on ICMP traffic on a
> Linux NetFilter firewall could have kept each of these systems afloat.
>
> :)
>
> For those of you administering firewalls, you might want to make sure
> you have a rate-limit for ICMP in your ruleset.
>
> This was a simple DDOS, and future ones could involve more sophisticated
> means, but this is elementary stuff taken to a large scale.
>
Not quite that simple.
Just because you are dropping ICMP packets doesn't mean your pipe's not
full. True, they'd have to send twice as many packets to get the same
effect, or double the packet size, which is simple (since your system
isn't acting as its own worst enemy by generating more packets). Your
system also is processing those packets (dropping them). So would have to
be an upstream router (several actually) dropping those incoming ICMP
packets for this to work.
Ciao,
David A. Bandel
- --
Focus on the dream, not the competition.
-- Nemesis Racing Team motto
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE9uHR63uVcotqGMQcRAmN1AJ9dKQU4HNYPw8qq3RITCAruSuHVMQCfaj+p
C2F3pndyeqXPpaSsDpInXh8=
=l2do
-----END PGP SIGNATURE-----
More information about the Linux-users
mailing list