Karlnet
[Top] [All Lists]

RE: [Karlnet] Ping Floods, DoS Attacks, etc. - Any Ideas

To: "Brett Hays" <bretth@htonline.net>, "Karlnet Mailing List" <karlnet@WISPNotes.com>
Subject: RE: [Karlnet] Ping Floods, DoS Attacks, etc. - Any Ideas
From: "Rob Trout" <rtrout@t-speed.com>
Reply-to: Karlnet Mailing List <karlnet@WISPNotes.com>
Date: Wed, 18 Jun 2003 08:16:25 -0500
List-post: <mailto:karlnet@WISPNotes.com>
NTOP would help, as well as any packetsniffer. We run ET Inc's BWMGR ,
and limit  ICMP to a set amount, if something starts pushing that
threshold, we can open the logs and see who.


Most of the time the ICMP abusers are easy to pick out, they're using
large send buffer sizes.

Robert Trout
T-Speed 
rtrout@t-speed.com
www.t-speed.com


> >-----Original Message-----
> >From: Brett Hays [mailto:bretth@htonline.net] 
> >Sent: Tuesday, June 17, 2003 10:20 PM
> >To: Karlnet Mailing List
> >Cc: Scot Green
> >Subject: Re: [Karlnet] Ping Floods, DoS Attacks, etc. - Any Ideas
> >
> >
> >It's just a colossal pain in the a** hunting down the 
> >offender.  I suppose I need to find some better diagnostic 
> >tools or learn something.  Does anyone have tips on how to 
> >hunt down this sort of traffic.  All I know to do is watch 
> >turbocell station entries on the AP and look for traffic 
> >patterns, but that's not much help.  Are there any programs 
> >we can run at the noc to watch for traffic anomalies like 
> >this.  I am familiar with active ports and some other 
> >programs, but they only watch the machine they are actually 
> >installed on.  We run all Win2000 boxes for servers, so 
> >something that would run on that platform would be best.
> >
> >Brett Hays
> >Hometown Online
> >www.htonline.net
> >
> >----- Original Message ----- 
> >From: "Bob Hrbek" <bhrbek@jagwireless.com>
> >To: "Karlnet Mailing List" <karlnet@WISPNotes.com>
> >Sent: Tuesday, June 17, 2003 9:33 AM
> >Subject: Re: [Karlnet] Ping Floods, DoS Attacks, etc. - Any Ideas
> >
> >
> >> Brett, I think you are doing things correctly with the routing.  I 
> >> don't believe the storm settings will help with ICMP or UDP 
> >> overloading of the network.  These virus's have taken down the 
> >> networks of some VERY large companies.  One thing I 
> >suppose you could 
> >> do is if you determine that the traffic is coming from a 
> >particular 
> >> customer, you could create a MAC
> >filter
> >> to deny their traffic at the AP until they got the problem 
> >resolved.
> >>
> >> I don't think that the alternative configurations that you 
> >suggested 
> >> would be of any help in these instances.
> >>
> >> As any other service provider would do.....if a subscriber 
> >is taking 
> >> down the providers network, you simply isolate them until they get 
> >> their stuff fixed.
> >>
> >> -bob
> >>
> >>
> >> ----- Original Message -----
> >> From: "Brett Hays" <bretth@htonline.net>
> >> To: "Karlnet Mailing List" <karlnet@WISPNotes.com>; 
> >> <RMallory@karlnet.com>
> >> Cc: <kstuckwisch@htonline.net>; "Scot Green" <sjgreen@htonline.net>
> >> Sent: Tuesday, June 17, 2003 9:24 AM
> >> Subject: [Karlnet] Ping Floods, DoS Attacks, etc. - Any Ideas
> >>
> >>
> >> > We have finally isolated a problem we have been having 
> >for over a 
> >> > month
> >on
> >> > our wireless system with some customers falling offline, etc on 
> >> > mostly nights and weekends for 5-15 minute durations due to 
> >> > excessive icmp (I
> >> > believe) traffic coming from one customer location.  The 
> >customer is
> >> working
> >> > with us to isolate the offending machine/device and solve the 
> >> > problem.
> >> >
> >> > That said, this has been a mother to isolate and solve.  
> >Does anyone
> >have
> >> > any ideas on how to protect access points from one 
> >client with code 
> >> > red, etc. pegging the whole network?  We run AP1000 base 
> >and RG1100 
> >> > clients. Currently, we are routed with real world IP's 
> >on the RG's 
> >> > and nat for
> >the
> >> > customer on the ethernet side.  I noticed in the 
> >bridging setup that
> >there
> >> > is a section called storm protection.  If we were 
> >running bridging 
> >> > on
> >the
> >> > clients and had this enabled, would it protect from this sort of
> >problem?
> >> >
> >> > I know that some of you have said you run nat on the 
> >access point 
> >> > and
> >then
> >> > give the real world IP to the customer's computer or dsl/cable 
> >> > router.
> >My
> >> > question regarding this is how do you access the client 
> >devices (in 
> >> > our
> >> case
> >> > RG's) to change configuration, etc. if they are behind 
> >nat on the 
> >> > access point?
> >> >
> >> > Please excuse any stupid questions I am asking, I have 
> >very limited 
> >> > experience with bridging.
> >> >
> >> > Brett Hays
> >> > Hometown Online
> >> > www.htonline.net
> >> >
> >> >
> >> > _______________________________________________
> >> > Karlnet mailing list
> >> > Karlnet@WISPNotes.com 
> >> > http://lists.wispnotes.com/mailman/listinfo/karlnet
> >> >
> >>
> >> _______________________________________________
> >> Karlnet mailing list
> >> Karlnet@WISPNotes.com 
> >> http://lists.wispnotes.com/mailman/listinfo/karlnet
> >>
> >
> >
> >_______________________________________________
> >Karlnet mailing list
> >Karlnet@WISPNotes.com 
> >> >http://lists.wispnotes.com/mailman/listinfo/karlnet
> >

<Prev in Thread] Current Thread [Next in Thread>