[Dailydave] nkiller2
Michael Graham
jmgraham at gmail.com
Thu Jun 11 14:05:03 EDT 2009
OK after a few minutes with this I'm not sure you can efficiently do much
about it outside of a complex IPS watching for and killing connections that
send too many "windows size 0" in response to probes from your server, and
then hopefully blocking the IP entirely.
On Thu, Jun 11, 2009 at 12:43 PM, Michael Graham <jmgraham at gmail.com> wrote:
> filter on Windows size = 0 and total connections to a host from a host
> thought whatever you're using for a statefull firewall
>
>
> On Thu, Jun 11, 2009 at 11:39 AM, dave <dave at immunityinc.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> http://www.phrack.org/issues.html?issue=66&id=9#article
>>
>> Is it just me or can pretty much every web site in the world get turned
>> off now?
>>
>> I guess you could use iptables to drop the Window Size 0 packets?
>>
>> - -dave
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkoxJSgACgkQtehAhL0ghepRSACfUL94jijBDRck2MlOggEKja3e
>> fbIAn0l6fMpWNlOy9ttVmRYubGDoUqfa
>> =mGZB
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090611/748eeb3e/attachment.htm
More information about the Dailydave
mailing list