Lucky Leavell wrote on Sat Sep 25 2004 - 05:08:42 CEST http://lists.suse.com/archive/suse-security/2004-Sep/0238.html

We are a small ISP using wireless (radio, not cellular) links and have been experiencing increasing incidents of DoS (SYN Flood and smurf) attacks. When first encountered, we built and deployed a bridging firewall using SuSE 9.1 and Shorewall which does exactly what it is designed to do: filter traffic entering or leaving the subnet it protects.

However, the statistics reveal that most of our attacks originate within the subnet and not from the outside (internet). We have been using ethereal to capture traffic and, using that to ID the source, cut them off only to have the attack resume from another system on the subnet... (snip)

Since most of our customers us M$ systems, we are thinking we have several infested with some sort of worm or trojan but it is a daunting task to identify the culprit and remedy the situation.

----<text trimmed>---

Questions:

1. What tools other than ethereal should we use? 2. Is there any other protective measure we can take to fend off the attacks from within our own networks given that we do not have total control of the network as a corporate user would? 3. (snip)

Any suggestions would be GREATLY appreciated including other lists we might frequent.

Thank you, Lucky Leavell

Hi Lucky, Earlier today I read: http://www.securityfocus.com/columnists/267 It might have an idea or two you can use because it seems to me that your first problem is how to educate your customers to aid you in solving the problem. As one reviewer of the above article said: Sooner or later it comes down to the Human Firewall guarding the network Friendly greetings, -- __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp