Gentlefolk (are there any women on this list????) I thought this sufficiently interesting to post to the NOG, so that it may help anyone who is considering how to avoid these attacks in the future. I have removed all the sales guff (I hope). I hope this is of use. ==================================================================== At one account they were all Cisco. They were blown up by a massive amount of spoofed SYN flood attacks. The PIX did stop the SYN floods it did see, however most of traffic never reached the PIX because the egress router had a of overflow of traffic. I have personal experience with the account. We had recommended they put anti-spoofing filters and CAR filtering for ICMP on the egress routers. They told us they would not put any filters on the routers because they did not want to lose any performance. The attacks were designed to take advantage of a specific flaw in the network design of the target. This discovered by using an automated tool that tries literality hundreds of different exploits till it finds a successful avenue of attack. Since the hackers tools try over hundred types of exploits, it is possible that if the customer had implemented the egress filtering that we had recommend than the hackers would have been able to crash them with some other attack. However, a continual theme is that there are a large number of sites on the Internet, and the well defended sites tend to get ignored by this type of attack. Since these criminals don't tend to be very clever, in fact they seem downright lazy, they only go after sites that can be assaulted with off the shelf tools. In the case of one web portal, the attack was a BSD UNIX specific attack that rides on port 80 like any other HTTP traffic. It went thought the Cisco router and a Checkpoint firewall, just like it is supposed to do. Had the network administrator patched their Web servers with against this known type of attack, then the exploit would have done not worked at all. In one of the e commerce sites, they were blown up by a Smurf attack. However, the attack was against the upstream ISP, not the e commerce site itself. Had the target insisted the ISP put the "no ip directed broadcast" command on the outgoing line from the ISP to the target, then the Smurf would have not worked. ======================================================================== -- \_ Roger De Salis Cisco Systems NZ Ltd ' +64 25 481 452 L3, 117 Customhouse Qy /) +64 4 473 4912 Wellington, New Zealand (/ roger(a)desalis.gen.nz rdesalis(a)cisco.com ` --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog