Growing DoS attacks
tvhawaii at shaka.com
Wed Jan 16 23:43:55 UTC 2002
Has anyone tried running something like this?
----- Original Message -----
From: "Clayton Fiske" <clay at bloomcounty.org>
To: "Jared Mauch" <jared at puck.Nether.net>
Cc: "Paul Froutan" <pfroutan at rackspace.com>; <nanog at merit.edu>
Sent: Wednesday, January 16, 2002 12:23 PM
Subject: Re: Growing DoS attacks
> On Wed, Jan 16, 2002 at 01:18:14PM -0500, Jared Mauch wrote:
> > are you seeting these attacks be related to the lack of
> > anti spoofing filters? where do they tend to be originating these
> > days?
> > i suspect that 1) smurf amps that are still not fixed, 2)
> > high speed connectivity at homes (cable, .. some dsl still,) are allowing
> > people to send spoofed packets at higher rates.
> > that combined and the number of windows based servers that
> > have been exploited (nimda, etc..) and those can be used also to send
> > spoofed packets at higher rates.
> Our network is pretty much entirely end users. At the moment, we're
> seeing a non-spoofed DDoS attack that's been ongoing for several days.
> I've been trying to track and block, but the problem is that it seems
> to be many different users with infected machines and only one or two
> at a time are actually sending packets (SYNs at that, so not so easy
> to blanket filter even in the short-term) at any given time. I watched
> it for several hours and I would see one user send 10-50k packets then
> stop, then the next user, etc. In the whole time I was watching I never
> saw the same IP twice. I thought it could be spoofing, but as I ran
> pings on whichever source IP I saw I got no response, then when they
> stopped attacking I would start to get ping responses. I'm still at it,
> but as I approached 100 unique sources I realized there's probably not
> a lot of hope of effectively blocking it. I could filter the destination
> for that entire pop, but:
> a) I can almost guarantee I would be "administratively prohibited" from
> doing so, given the popularity of the site in question.
> b) It's a major website with gobs of bandwidth, which thus far seems
> entirely unaffected by the attack. I am contacting them to verify
> this, but every time I've checked the page comes up instantly and
> there's no latency to speak of in traceroutes.
> c) The amount of time the filter would have to stay in place is
> unknown (so same reason as a) basically) because of the amount
> of administrative hassle to track down every user and not only
> block them but also get them to fix it (which, without having any
> real idea what agent they're running, will be difficult in itself).
> We are still working at this, but I'm wondering whether any other DSL
> or cable providers out there are seeing similar.
More information about the NANOG