From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pasi =?iso-8859-1?Q?K=E4rkk=E4inen?= Subject: Re: Protecting against DoS Date: Tue, 9 Dec 2003 18:51:46 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <20031209165146.GD17221@edu.joroinen.fi> References: <20031209154333.GB17221@edu.joroinen.fi> <20031209090221.413b7286.mgale@utilitran.com> <20031209162820.GC17221@edu.joroinen.fi> <20031209094047.4dbb09f9.mgale@utilitran.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Content-Disposition: inline In-Reply-To: <20031209094047.4dbb09f9.mgale@utilitran.com> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1" To: Michael Gale Cc: netfilter@lists.netfilter.org On Tue, Dec 09, 2003 at 09:40:47AM -0700, Michael Gale wrote: > Hello, >=20 > Can you provide more detail on the type of traffic that caused the DOS -= - this may help people in the list with suggestions on how to block it :) >=20 Yep. It was tcp-connections from the windows box (infected by the worm) to some network-ranges on the internet. source-port was pretty much random, but the destination was always 80. So the normal 'allow web browsing' rules allowed the worm to DoS the linux-firewall. =20 It just opened the connections all the time, but didn't close them.=20 > Michael. >=20 -- Pasi K=E4rkk=E4inen =20 ^ . . Linux / - \ Choice.of.the .Next.Generation.