New Denial of Service Attack on Panix

• Previous message (by thread): New Denial of Service Attack on Panix
• Next message (by thread): New Denial of Service Attack on Panix
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 16 Sep 1996, Tim Bass wrote:

==>(1) Set up logging (as you have done) dump the data saving the
==>(2) Using documented stochastic methods, look for the hidden
==>(3) Given it is possible to break the code,  hack together some

This would be a great thing, if only the tools were written.
Unfortunately, at this time, it would take a lot of human work just to
build the tools to look for patterns (or for the humans to look for
patterns themselves).

(BTW, most source-address spoofing code I've seen involves the random()
function, and seeds the random-number generator frequently as well--you'd
really have to have sophisticated hardware to analyze all of this)

At this point, the only REAL solution we have is to take the following
steps and ask our neighboring NSP's/direct providers to:

1) Educate customers and ask their commitment to add out-bound
access-list's allowing only those packets sourced from their CIDR blocks
(for stub networks).

2) dedicate some resources to tracing these attacks and pressuring the
upstream providers involved in attacks to do the same.

==>BTW, do all the attacks have the same port and destination?

Yes, they do.  However, so does all legitimate traffic to my web server.

/cah

----
Craig A. Huegen  CCIE #2100                       ||        ||
Network Analyst, IS-Network/Telecom               ||        ||
cisco Systems, Inc., 250 West Tasman Drive       ||||      ||||
San Jose, CA  95134, (408) 526-8104          ..:||||||:..:||||||:..
email: chuegen at cisco.com                    c i s c o  S y s t e m s

• Previous message (by thread): New Denial of Service Attack on Panix
• Next message (by thread): New Denial of Service Attack on Panix
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]