We are a small ISP using wireless (radio, not cellular) links and have been experiencing increasing incidents of DoS (SYN Flood and smurf) attacks. When first encountered, we built and deployed a bridging firewall using SuSE 9.1 and Shorewall which does exactly what it is designed to do: filter traffic entering or leaving the subnet it protects. However, the statistics reveal that most of our attacks originate within the subnet and not from the outside (internet). We have been using ethereal to capture traffic and, using that to ID the source, cut them off only to have the attack resume from another system on the subnet. For example, Machine A will syn flood B but it also affects every other user on the subnet by consuming bandwidth. If we shut A off, then shortly, C will attack D, etc. Since most of our customers us M$ systems, we are thinking we have several infested with some sort of worm or trojan but it is a daunting task to identify the culprit and remedy the situation. What we have done: 1. Implement a bridging firewall to protect against attacks from the outside. 2. Inplement full email filtering using SuSE/Postfix/amavis-new/ clamAV/spamassassin. 3. Attempt to identify and deal with infested systems (Really the customers' responsibility but ...) Questions: 1. What tools other than ethereal should we use? 2. Is there any other protective measure we can take to fend off the attacks from within our own networks given that we do not have total control of the network as a corporate user would? 3. Are these particular worms or trojans which operate like this? Any suggestions would be GREATLY appreciated including other lists we might frequent. Thank you, Lucky Leavell