Growing DoS attacks

Avleen Vig lists-nanog at
Thu Jan 17 00:18:25 UTC 2002

On Wed, 16 Jan 2002, Jared Mauch wrote:
> 	I think the point is that (despite everyones thoughts
> that use it) IRC is not considered a super-important network service
> these days.  If the irc server is dampened or the attack can't reach it
> it just penalizes the compromised host(s) network(s) more than the
> person who hosts the irc server.

I don't know if I can totally agree with that :)
I have run an IRC server, and have been the subject of a variety of DoS
and DDoS attacks in the past.

Some of the attacks have had almost an intellegence behind them.
When a server's immediate uplink is a T1(or equiv), there has been just
enough traffic to flood it (eg, T1+1mb).
When the server's uplink has been a 155Mb link, there's again been just
enough traffic to flood that (eg, 155+10Mb).

In each case, turning off the ircd, or blocking ICMP / TCP / UDP /
whatever packets going to that server upstream have stopped the floods in

This leads me to believe there are at least 2 types of flooders our there:
Flooders who are careful how much of their resource their use, and
flooders who don't care and would try to cram 1Gb/s down your tiny T1
given the chance.

In either case I believe IRC can be considered an important service, if
only for the reason, that it can keep the attackers attracted. If there
was no IRC I'm sure they'd go after more critical services!

Avleen Vig
Network Security Officer
Smurf Amplifier Finding Executive:

More information about the NANOG mailing list