FW: Re: Is there a line of defense against Distributed Reflective attacks?
Johannes Ullrich
jullrich at euclidian.com
Sun Jan 19 14:38:10 UTC 2003
> *shrug* just seems like it would make more sense to block all incoming
> 'syn' packets.
> Wouldn't that be faster than inspecting the destination port against two
> seperate rules?
blocking all SYN's will break too much other stuff (Instant Messangers,
games ...). I think we would be much better off if they (consumer ISPs)
would block 135-139 and 445, maybe 21 and 80.
The rest could be handled with a simple IDS (doesn't even need
to match patterns... just count packets going to 27374 and the like)
I keep saying ISPs would be much better off if they implement these
filters. But not all of them agree. IMHO: less 'zombies' -> better
service -> less support phonecalls.
--
--------------------------------------------------------------------
jullrich at euclidian.com Collaborative Intrusion Detection
join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20030119/0e07132d/attachment.sig>
More information about the NANOG
mailing list