Growing DoS attacks

Tom Sands tsands at
Wed Jan 16 18:51:25 UTC 2002

    We have anti-spoofing filters applied, however apparently a large number of
ISPs obviously still see them as unnecessary.  The attacks are a combination of
spoofed and real IP's.

    The trend there seems to be that if the attack is high PPS but low
bandwidth, the majority of those are spoofed.  Now a recent trend has been lower
PPS (increased size) and high bandwidth.  The ones that we have been able to
track successfully are coming from real sources, and have indeed been due to
things such as nimda.

    There have been several instances of people that were caught doing this
against us with approximately 1000 - 1500 servers under control via nimda, but
being able to notify the owners of all those servers is next to impossible.

Tom Sands
Chief Network Engineer
RackSpace Managed Hosting
tsands at

Jared Mauch wrote:

>         are you seeting these attacks be related to the lack of
> anti spoofing filters?  where do they tend to be originating these
> days?
>         i suspect that 1) smurf amps that are still not fixed, 2)
> high speed connectivity at homes (cable, .. some dsl still,) are allowing
> people to send spoofed packets at higher rates.
>         that combined and the number of windows based servers that
> have been exploited (nimda, etc..) and those can be used also to send
> spoofed packets at higher rates.
>         - jared
> On Wed, Jan 16, 2002 at 11:45:05AM -0600, Paul Froutan wrote:
> > Hello all,
> > Can some of you with larger networks let me know about the volume of the
> > DoS attacks you have experienced lately?  Our experience has been that the
> > volume (not just occurrence) is going up significantly and I'm curious on
> > the size of attacks that people are experiencing.  For reference, while a
> > year or two ago we used to get 50-100 meg attacks, now we're getting 500+
> > megs.
> > Thanks
> >
> > _________________________________________
> > Paul Froutan, VP Engineering and Operations
> > Rackspace Managed Hosting
> > Email: pfroutan at
> > ----------------------------------------------------------------------
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (
> > Version: 6.0.313 / Virus Database: 174 - Release Date: 1/2/2002
> --
> Jared Mauch  | pgp key available via finger from jared at
> clue++;      |  My statements are only mine.

More information about the NANOG mailing list