[ previous ] [ next ] [ threads ]
 From:  "pmok" <pmok at optushome dot com dot au>
 To:  "Matt McGuire" <mmcguire at o1 dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Stopping DoS attacks
 Date:  Sun, 23 May 2004 07:37:47 +1000
Its not a DoS...Its from those folks (Windows users) who still are 
infected with either the Welchia virus (or related) and still don't 
have a clue about it. (This is typically a significant amount of users 
who are security illiterate...They weren't taught about basic network 
security...And in all likelyhood have not patched their systems or 
updated their AV solution.)

You can't really stop it, but to act defensive. Do what Chet Harvey 
said, don't log it and drop it. 

This is what ICMP is really used for... 

But of course, you can add "for virus spreading". 
(Thanks to Welchia and similar)...

If you suffer from DoS or DDoS, you'll see that your connection will
be really really slow. (some firewalls are overwhelmed and just freeze up,
requiring a manual reset.)

----- Original Message ----- 
From: "Matt McGuire" <mmcguire at o1 dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Sunday, May 23, 2004 4:13 AM
Subject: [m0n0wall] Stopping DoS attacks

> At times I am getting a lot of activity in the firewall logs.  I assume
> this is a Dos attack with icmp?  Am I correct?  Also what is the best
> way to stop this from happening?  I do not let this traffic through,
> however the load on the firewall becomes so high that WAN access is
> slowed to a crawl. Below is one of many identical entries.
> 11:06:03.544257 sis1 @0:19 b -> PR icmp len 20 56
> icmp timxceed/transit for - PR icmp len 20 56 icmp
> 3/2 IN
> Thanks,
> Matthew
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> __________ NOD32 1.770 (20040521) Information __________
> This message was checked by NOD32 Antivirus System.
>   part000.txt - is OK
> http://www.nod32.com