Access Lists
Dan Boehlke
dboehlke at mr.net
Thu Mar 26 08:23:41 UTC 1998
By looking at netflow stats or ip accounting I can usually find the host
being attacked by sorting the list by destination. The source will point
to hosts on a net being used as a smurf packet replicator, giving a hint
who might need to be contacted to shut off directed broadcasts. Netflow
stats even show it as being ICMP ECHO traffic if you look at the numeric
codes in the flow export. Once you know who is being attacked, you can
call your upstream providers or peers and have it traced, but if you want
the traffic stopped and the attack is flooding your pipe, about all you
can do it stop the traffic from getting to you, so if you are BGP peering
with your neighbors, withdraw the network annoucement for the victim and
the rest of your customers can continue to get their trafic. This doesn't
help trace in, although give how older cisco IOS code reacts to tossing
out unroutable packets, the intermediate hosts may find they have a
problem when their router CPU use hits 100%.
I too would rather have a good quick way to nail the people initiating
this sort of attack. However I have also found that my customers who are
victims are seldom random and are usually doing something to attract the
attack, like running IRC bots or running a sendmail capable of being a
SPAM relay. However I don't approve of vigilantism. This stuff can be
taken care of in other ways.
On Thu, 26 Mar 1998, Phil Howard wrote:
> > You could just withdraw your BGP announcement for the net being attacked
> > and suddenly the attack packets will die at the first router without a
> > default route on their way to the victim.
>
> ...along with everything else. Do you have some way of determining which
> router that is?
>
> --
> Phil Howard | stop6729 at s5p0a6m6.org w2x8y9z0 at lame1ads.net eat15me7 at no6place.net
> phil | no12ads7 at nowhere0.com die6spam at nowhere3.edu no70ads3 at dumb1ads.com
> at | eat06me3 at no20ads1.edu crash719 at no6where.com stop4909 at anywhere.net
> milepost | no12ads2 at anywhere.org stop2ads at spam7mer.net no0spam0 at no0where.edu
> dot | blow0me5 at spam5mer.org end6ads8 at lame4ads.org no3way57 at no4where.org
> com | stop7211 at no8where.net suck8it5 at dumbads3.net eat69me1 at no16ads1.edu
>
--
Dan Boehlke, Senior Network Engineer M R N e t
Internet: dboehlke at mr.net A MEANS Telcom Company
Phone: 612-362-5814 2829 SE University Ave. Suite 200
WWW: http://www.mr.net/~dboehlke/ Minneapolis, MN 55414
More information about the NANOG
mailing list