Protection against DOS attacks.

[imby]

Yes unfortunately one is bound to run into an immature, irrational arsehole from time to time. This one DOS attacks unfortunately. I have an actiontec router and sygate firewall pro version. Any tips or general information?

[Meka][Meka]

the only dos / ddos protection, from a pro is.... to disconnect from the net  ;)

[Pothead]

I agree with Mutor.  Last time i got Dos'd was by TE (at my request ). During this, my firewall went upto 90% cpu and started using 300mb of Ram.
Basically, software firewalls are good, until you get attacked.  Want any real protection, you need a hardware based (router), not software (firewall).

[NotRabidWombat]

Most firewalls are software. The expensive ones you are referring to just have nice, dedicated hardware.

You don't need to spend and arm and a leg. I use an old 486 to power my FreeBSD firewall of doom ;-)
For those not interested in learning the inner workings of firewalls, there are neat projects like: http://www.m0n0.ch/wall/

TE attacks (as far as I have seen) have not been actual DOS. They're just mindless spamming until they get bored. The best way to protect against that is intelligence on the hub side.

Heh. MekaMeka, self-proclaimed chat protocol DOS pro.

-NotRabidWombat

[Meka][Meka]

well in the case of u not knowing the meaning of DOS

denial of service, spamming is a type of denial of service, but this is not the DOS we do, my best is DDOS, and this is using many internet connections / systems, to synflood another connection, u no nothing of TE, and u never will, IMO, u know nothing but to kiss arse to dcdev,

peace,, :]

[Pothead]

Originally posted by Meka][Meka
and this is using many internet connections / systems, to synflood another connection

Now you know where all that annoying spyware crap comes from.  Which hijacks unsuspecting people. Straight from the horses mouth.

Originally posted by Meka][Meka
u no nothing of TE

Actions speak louder than words.  So lets give 3 nice examples.
1. Vikimaker wiping Ynhub forum.
2. Lord Cunt using your DDos network to attack women, because they ban him, for guess what . . . . being a twat.
3. Lord Zero, strikes again, with crashing R2 3 / 4 times in a row because, erh, he felt like it.

[plop]

Originally posted by Meka][Meka
well in the case of u not knowing the meaning of DOS

denial of service, spamming is a type of denial of service, but this is not the DOS we do, my best is DDOS, and this is using many internet connections / systems, to synflood another connection, u no nothing of TE, and u never will, IMO, u know nothing but to kiss arse to dcdev,

peace,, :]

a firewall with statefull protection solves this.
it keeps track of the syn's, if the 1st isn't finished it drops all the following syn's from that ip.
then the only problem is the amount of data which can take all the bandwidth the attacked person has.
a good nids (network intrusion detection system) can identify the type of DOS/DDOS and take action on it.
like mailing a log file 2 the apropiate isp's.
for example your own isp so they can redirect the traffic 2 dev/nul, and meanwhile trying 2 trace the source of the attack.

plop

[Pothead]

Originally posted by plop
a good nids (network intrusion detection system) can identify the type of DOS/DDOS and take action on it.
like mailing a log file 2 the apropiate isp's.
for example your own isp so they can redirect the traffic 2 dev/nul, and meanwhile trying 2 trace the source of the attack.
plop

Sounds good.
You know any good freeware ones ?

[Meka][Meka]

Originally posted by plop

Originally posted by Meka][Meka
well in the case of u not knowing the meaning of DOS

denial of service, spamming is a type of denial of service, but this is not the DOS we do, my best is DDOS, and this is using many internet connections / systems, to synflood another connection, u no nothing of TE, and u never will, IMO, u know nothing but to kiss arse to dcdev,

peace,, :]

a firewall with statefull protection solves this.
it keeps track of the syn's, if the 1st isn't finished it drops all the following syn's from that ip.
then the only problem is the amount of data which can take all the bandwidth the attacked person has.
a good nids (network intrusion detection system) can identify the type of DOS/DDOS and take action on it.
like mailing a log file 2 the apropiate isp's.
for example your own isp so they can redirect the traffic 2 dev/nul, and meanwhile trying 2 trace the source of the attack.

plop

nope, nothing can solve a 'real' DOS attack, hence its denial of service, not to an app to ther net, if they dont have access to ther internet, they have no access to email, a hardware firewall may detect, but it doesnt stop your bandwidth decreasing ( as u noted )  :]

[plop]

Originally posted by Pothead

Originally posted by plop
a good nids (network intrusion detection system) can identify the type of DOS/DDOS and take action on it.
like mailing a log file 2 the apropiate isp's.
for example your own isp so they can redirect the traffic 2 dev/nul, and meanwhile trying 2 trace the source of the attack.
plop

Sounds good. :D
You know any good freeware ones ? ;)

i'm using snort on freebsd, but they are porting it 2 windows.

plop

[plop]

Originally posted by Meka][Meka nope, nothing can solve a 'real' DOS attack, hence its denial of service, not to an app to ther net, if they dont have access to ther internet, they have no access to email, a hardware firewall may detect, but it doesnt stop your bandwidth decreasing ( as u noted )  :]

so the only affect the attack has is the bandwidth being fully taken by the dos, the moment the attack stops everything continues like it was.
the log file can be mailed after the attack.
but i don't know how it is in your neighbourhood, here there enough ppl with wireless routers which are unprotected.
these can be used 2 send out the log file during the attack. lol
if the isp from the attacked person acts during the attack they can filter the dos on there own routers.
rendering the attack useless.
symbiot is a company which makes special devices against these kind of things with now an extra trick in there sleeves, they fight back.

plop

[Pothead]

Originally posted by plop
i'm using snort on freebsd, but they are porting it 2 windows.

Thanks. hehe, i remembered trying to get that running on windows for 2 days, while i was playing with //www.mod-x.com . Cannot wait for a windows version of that proggy

[blackwings]

so snort is a kind of firewall? is it better then sygate? I mean on a personal computer, not a server.

[Pothead]

Thanks Mutor.  It has progressed since i last looked (over a year ago).
Blackwings as far as i can tell, it's to be used in conjunction with a firewall.  It is a specalist proggy for sorting attacks, and other stuff, but not for program control.  

[blackwings]

any idea if it has compibility problems with either sygate or outpost?

and is it resource consuming?

[Corayzon]

Originally posted by plop

Originally posted by Meka][Meka nope, nothing can solve a 'real' DOS attack, hence its denial of service, not to an app to ther net, if they dont have access to ther internet, they have no access to email, a hardware firewall may detect, but it doesnt stop your bandwidth decreasing ( as u noted )  :]

so the only affect the attack has is the bandwidth being fully taken by the dos, the moment the attack stops everything continues like it was.
the log file can be mailed after the attack.
but i don't know how it is in your neighbourhood, here there enough ppl with wireless routers which are unprotected.
these can be used 2 send out the log file during the attack. lol
if the isp from the attacked person acts during the attack they can filter the dos on there own routers.
rendering the attack useless.
symbiot is a company which makes special devices against these kind of things with now an extra trick in there sleeves, they fight back.

plop

well put mate. I want to see isp's redirect attacks to Ppl who attack via there own networks! meaning the attacker receives their own attacks... if the attack doesnt rely on backdoors in other machines to hide itself from the isp's traces. Like the dc exploit attack.

personaly i say, attackers are the jelous ones that want what they dont have. So they take out other services that have what they want :P

Silly sussages

[blackwings]

Originally posted by blackwings
any idea if it has compibility problems with either sygate, outpost or Norton Firewall?

and is it resource consuming?

anyone?

[Corayzon]

Originally posted by Mutor

Originally posted by Corayzon
personaly i say, attackers are the jelous ones that want what they dont have. So they take out other services that have what they want :P

Or they are pimple faced vandals with childlike genetalia, who so need to find something of greater value to do. Lest they wade about in the shallow end of the gene pool until old an gray. I dont think its much about what others have, beyond friends, family and a focus in life. It's one of the few times in their miserable lives they can feel powerful, if you can call it that.

With no visible means of sexual gratification in sight for the poor, misguided and dickless. I say hack on, wankers.

Here ends the rant...........

nice ranting, i cant disagree ^^

[Psycho_Chihuahua]

hack me if you want i don't care ^^ all my important files are not hooked up to the internet anyhow and a reinstallation doesn't take that long as i reinstall from image  


want my IP? hmm how about 127.0.0.1    

[Meka][Meka]

well yep plop, u r right, but if someone ddos then u have a big problem still... its not ther ip, nor spoofed ips, also if the attack is long and powerful enough, u cant get logs from the hardware, whilst its extremely busy.... unless u are having packets sent to software firewall, but in that case your comp can crash with so many packets..... hardware firewalls can be crashed, no doubt.... just my knowledge im sharing  :]

[plop]

Originally posted by Meka][Meka
well yep plop, u r right, but if someone ddos then u have a big problem still... its not ther ip, nor spoofed ips, also if the attack is long and powerful enough, u cant get logs from the hardware, whilst its extremely busy.... unless u are having packets sent to software firewall, but in that case your comp can crash with so many packets..... hardware firewalls can be crashed, no doubt.... just my knowledge im sharing  :]

a p2 233 is powerfull enough 2 filter a 100Mbit network including loging the data.
and maby you remembered the sqlslammer worm, trueservers filtered about 1-2TB of data per hour during the peak of that.
that was the biggest ddos so far and was filtered.
the only problem was that many dns servers got chocked on the data, on isp's which didn't filter.
spoofing isn't possible if the routers are setup correctly (again a point where many isp's fail).

plop

[Putka]

And how about when u get attacked from 0.0.0.0:port ????
How can be this resolved. As i know even ISP isnt able to get real location of attack source.

[plop]

Originally posted by Putka
And how about when u get attacked from 0.0.0.0:port ????
How can be this resolved. As i know even ISP isnt able to get real location of attack source.

they can be traced, just it's a hell of a lot of work.
it goes step by step thru all the routers on the net.
if you disable dhcp, you should be able 2 drop all packets with that ip.
a IDS is a package sniffer, they check what is inside the package.
if that isn't a correct package for that ip they drop them.

plop