Craig:
2,000 PPS:
182.58.239.2.1526 -> 172.30.15.5.80 TCP SYN 19.23.212.4.10294 -> 172.30.15.5.80 TCP SYN 93.29.233.68.4355 -> 172.30.15.5.80 TCP SYN [... on and on ...]
Tell me how to filter this.
Okay, the way this *might* be filtered involves a couple of steps: (1) Set up logging (as you have done) dump the data saving the IP addresses (with port numbers); then (2) Using documented stochastic methods, look for the hidden pattern in the pseudo-random sequences. There are computer programs to do this, sorry, I would have to do a search to find one (the exist, however); Note: The sequence above is too short to determine any pseudo-random pattern (of course). But keep in mind, all computer generated 'random number' sequences are not truly random and there are generally determinate. Also, if a file is being used as a basic for the attack, perhaps it repeats itself (this is the easy case, not-likely ;) (3) Given it is possible to break the code, hack together some telnet 'update the router access-lists' based on the predictive algorithm. (another chapter, yet to be documented) However, George is right in his conjecture that the problem becomes more difficult when you consider that there is 'good traffic' as well. Hence, the problem becomes a signal processing exercise of determining the signal (the good source addresess) from the noise (the bad source addresses). Admittedly, it is difficult (but hey, you ISPs wanted to get into the business and make the big bucks, so deal with it, and put those big profits to use, like all the other telecom folks have to do to protect their services :-) ANYWAY, this type of counter-measure is not easily done, and I'm not sure that discussing the details in public is a good idea. I have already been called 'irresponsible' in private for discussing this technique. BTW, do all the attacks have the same port and destination? Thanks, Tim