[Dshield] Defense against server attacks
Jon R. Kibler
Jon.Kibler at aset.com
Mon Dec 1 16:40:00 GMT 2003
All my past experience has told me that there is really not much you can do about attacks against a server that appear to be normal requests. Is there any new defenses out there that anyone is aware of?
For example, last night some clown launched a simple DOS attack against one of our MTAs. The fact the attack even occurred was not noticeable until we checked logs this morning and found an entry along the lines of:
... did not issue MAIL/EXNP/VRFY/ETRN during connection to MTA
... last message repeated 67076 times
Digging further, the miscreant clearly opened a connection to the MTA, received the 220 message, and terminated the connection normally -- multiple times in rapid fire order. Performance logs indicated that the hit had no impact on anything except for bandwidth usage, which jumped from its normal of less than 5% to about 60% for the duration of the attack.
Any thoughts on how to detect something like this while it is in progress and what can be done if such an attack is detected? We have blocked the offending netblock at our border (the idiot used their real IP address -- or at least the address of whatever system they compromised), which protects our MTA, but does little for our network bandwidth problem.
TIA for your feedback!
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list