Security Guideance

Bill Stewart nonobvious at
Thu Feb 25 01:54:28 UTC 2010

On Tue, Feb 23, 2010 at 11:46 AM, Paul Stewart
<pstewart at> wrote:
> The problem is that a user on this box appears to be launching high
> traffic DOS attacks from it towards other sites.  These are UDP based
> floods that move around from time to time - most of these attacks only
> last a few minutes.

Do the UDP floods have source-addresses that belong to your machine,
or are they spoofed?  Make sure you block that noise; depending on the
applications the users think they've implemented, do you need to allow
any outbound UDP other than 53?

Can you move the users onto virtual machines instead of real ones?
That can make it easier to isolate the problem users, or at least to
cram an IDS in front of it.

             Thanks;     Bill

Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.

More information about the NANOG mailing list