Growing DoS attacks

Wed Jan 16 23:51:01 UTC 2002

	Something that people may want to consider doing is
that assuming you are using hardware/software that can support
rate-limit of specific packet types/rates, you could
generate some rate-limits to limit specific types of traffic
to various ranges.

	You can also use these initally to sample the traffic
sufficently that one can determine what your typical rate is.

	Example:

	Create access-list that matches icmp echo+echo-reply
	Assuming a ds3/oc3/oc12 uplink, you can create a rate-limit
on the router that limits the traffic to 1.5M with a burst to 2M.

	You can also do "sh int rate" on a cisco router to determine if
these rates are what you are typically forwarding.  You obviously need
to adjust these somewhat over time as your traffic and network patterns
change.

	You can do the same for tcp-syn http, etc.. by creating multiple
rate-limits.  (this is assuming cisco devices running 12.0S w/ the
appropriate linecards that support this feature set just as an example.
your mileage and network topology/linecard mix may not completely support
this.  please consult your appropriate vendor as most vendors these days
can support these features.  i'm just using cisco example as baseline).

	Once you figure this out you can then police your network traffic
or possibly apply the same types of rate-limits on customer facing
interfaces (esp. colo that tends to have high bw avaial but do't use it
all the time).

	This is not based on any real-life experiences so collect your own
data, but this may be useful for people to do.

	The problem of internet security and keeping your host(s) secure
I think is the most important.  Most software vendors are starting to ship
[almost, if not] secure out of the box at this point.  The challenge is
upgrading all the existing hosts.  There doesn't appear to be a good way
to notify everyone unless it turns into a "cnn" type event where all the
nightly news people are covering it.  This also misses a large portion of
the international community.  The local media should take it upon themselves
to help notify people to update their machines as well as the software
distributiors and hardware people that sell prepackaged software (windows
for example) that is installed.  include the cost of postage and
printing costs for mailing the users a postcard for the next 3 years once
a month with all the things they should check their machines for.

	it's a challenge.  hopefully everyone involved can step up and 
secure their networks to the [known] intrusion methods that allow abuse.

	- jared
On Wed, Jan 16, 2002 at 02:24:10PM -0700, Barb Dijker wrote:
> 
> At 11:45 AM 1/16/02 -0600, Paul Froutan wrote:
> >Hello all,
> >Can some of you with larger networks let me know about the volume of the 
> >DoS attacks you have experienced lately?  Our experience has been that the 
> >volume (not just occurrence) is going up significantly and I'm curious on 
> >the size of attacks that people are experiencing.  For reference, while a 
> >year or two ago we used to get 50-100 meg attacks, now we're getting 500+ 
> >megs.
> 
> I don't have a large network, but I had three yesterday morning
> between 7 and 10am MST and apparently one last night between 11:30pm and 2am
> MST that rippled through until 5am.  That is way high.  We typically see one
> every six months or so (modulo worms).  These appeared to be customer hosts 
> as
> unwitting dDoS participants... smaller than usual effects probably because 
> we
> had participants/sources rather than targets, but one yesterday was big 
> enough
> to take us down.  Unix servers.  No spoofing or amps involved (we filter).
> High pps, average packet size down to 66 bytes. Didn't snag a capture.
> 
> These were not nimda or any form thereof as we have cut off
> folks who were not fully patched.
> 
> ...Barb

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.