[prev in list] [next in list] [prev in thread] [next in thread]
List: dshield
Subject: Re: [Dshield] When botnets attack
From: John Hardin <johnh () aproposretail ! com>
Date: 2004-09-30 23:44:20
Message-ID: 1096587860.4349.60.camel () johnh ! ar-corp ! com
[Download RAW message or body]
On Wed, 2004-09-29 at 08:17, Miles Stevenson wrote:
> > *I* can't imagine a network administrator allowing that traffic (the
> > various Windows Networking protocols) to cross their boundary firewall
> > in the first place.
> >Don't forget the basics.
>
> I'm not forgetting "the basics" as you say.
Sorry, that wasn't an assumption of error on your part, just a general
admonishment. No offense intended!
> A firewall, router, or any kind of
> device that you use for network filtering has to use N amount of processing
> power to look at a packet header, compare that to its ruleset, and drop the
> packet.
True, that's its job.
> The whole idea of being DoS attacked is that there is so much data for the
> filtering device to filter, that the processor becomes completely exhausted
> and either drops legitimate traffic, or simply shuts down. Do you know of a
> boundary firewall device that can withstand 60,000 bots spewing garbage at it
> at a constant rate? Some lesser firewalls can't even handle 60K legitimate
> connections, let alone 1,000 illegitemate ones coming from 60K different
> machines.
True, but egress filtering - not letting bad stuff out of the networks
you control - is a good, distributed way to deal with distributed
attacks from spoofed source IPs or against certain protocols.
My comment was more to express: prohibiting the Windows Networking
protocols at your boundary will reduce the likelihood of a successful
attack upon your network (thus reducing the chance of your becoming a
member of a botnet) and will reduce the likelihood of an infection
spreading should you get cracked somehow.
'course, I'm preaching to the choir here.
--
John Hardin KA7OHZ <johnh@aproposretail.com>
Internal Systems Administrator voice: (425) 672-1304
Apropos Retail Management Systems, Inc. fax: (425) 672-0192
-----------------------------------------------------------------------
If you smash a computer to bits with a mallet, that appears to count
as encryption in the state of Nevada.
- CRYPTO-GRAM 12/2001
-----------------------------------------------------------------------
_______________________________________________
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .
_______________________________________________
send all posts to list@lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic