Growing DoS attacks

Clayton Fiske clay at
Wed Jan 16 22:23:02 UTC 2002

On Wed, Jan 16, 2002 at 01:18:14PM -0500, Jared Mauch wrote:
> 	are you seeting these attacks be related to the lack of
> anti spoofing filters?  where do they tend to be originating these
> days?
> 	i suspect that 1) smurf amps that are still not fixed, 2)
> high speed connectivity at homes (cable, .. some dsl still,) are allowing
> people to send spoofed packets at higher rates.
> 	that combined and the number of windows based servers that
> have been exploited (nimda, etc..) and those can be used also to send
> spoofed packets at higher rates.

Our network is pretty much entirely end users. At the moment, we're
seeing a non-spoofed DDoS attack that's been ongoing for several days.
I've been trying to track and block, but the problem is that it seems
to be many different users with infected machines and only one or two
at a time are actually sending packets (SYNs at that, so not so easy
to blanket filter even in the short-term) at any given time. I watched
it for several hours and I would see one user send 10-50k packets then
stop, then the next user, etc. In the whole time I was watching I never
saw the same IP twice. I thought it could be spoofing, but as I ran
pings on whichever source IP I saw I got no response, then when they
stopped attacking I would start to get ping responses. I'm still at it,
but as I approached 100 unique sources I realized there's probably not
a lot of hope of effectively blocking it. I could filter the destination
for that entire pop, but:

a) I can almost guarantee I would be "administratively prohibited" from
   doing so, given the popularity of the site in question.

b) It's a major website with gobs of bandwidth, which thus far seems
   entirely unaffected by the attack. I am contacting them to verify
   this, but every time I've checked the page comes up instantly and
   there's no latency to speak of in traceroutes.

c) The amount of time the filter would have to stay in place is
   unknown (so same reason as a) basically) because of the amount
   of administrative hassle to track down every user and not only
   block them but also get them to fix it (which, without having any
   real idea what agent they're running, will be difficult in itself).

We are still working at this, but I'm wondering whether any other DSL
or cable providers out there are seeing similar.


More information about the NANOG mailing list