Dailydave mailing list archives
Re: nkiller2
From: Michael Graham <jmgraham () gmail com>
Date: Thu, 11 Jun 2009 14:05:03 -0400
OK after a few minutes with this I'm not sure you can efficiently do much about it outside of a complex IPS watching for and killing connections that send too many "windows size 0" in response to probes from your server, and then hopefully blocking the IP entirely. On Thu, Jun 11, 2009 at 12:43 PM, Michael Graham <jmgraham () gmail com> wrote:
filter on Windows size = 0 and total connections to a host from a host thought whatever you're using for a statefull firewall On Thu, Jun 11, 2009 at 11:39 AM, dave <dave () immunityinc com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.phrack.org/issues.html?issue=66&id=9#article Is it just me or can pretty much every web site in the world get turned off now? I guess you could use iptables to drop the Window Size 0 packets? - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoxJSgACgkQtehAhL0ghepRSACfUL94jijBDRck2MlOggEKja3e fbIAn0l6fMpWNlOy9ttVmRYubGDoUqfa =mGZB -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- nkiller2 dave (Jun 11)
- Message not available
- Re: nkiller2 Michael Graham (Jun 11)
- Re: nkiller2 David_Falloon (Jun 11)
- Re: nkiller2 Michael Graham (Jun 11)
- Message not available