Effective ways to deal with DDoS attacks?
Richard A Steenbergen
ras at e-gerbil.net
Thu May 2 15:58:04 UTC 2002
On Wed, May 01, 2002 at 11:29:46PM -0600, Pete Kruckenberg wrote:
>
> We do have a fairly aggressive security group that
> identifies compromised machines and assists customers in
> properly securing them. We can be fairly certain that the
> way these hosts are responding to this DoS attack is not as
> a result of being compromised, but a "normal" IP stack
> implementation.
Please please please please please tell me you are doing ingress filtering
so the compromised boxes you host aren't spewing totally random source
addresses on the internet.
Not that it matters though, it's still pretty difficult to find the box in
question. DDoS programs have been "auto-probing" for the best src address
method to use for some time now (almost since their birth). For example,
say a box is compromised on a network which does ingress filtering. The
packet program detects this, and instead of randomizing the IP with every
packet, it picks a single random IP by spoofing the last octet. In the
interesting environments (like a college dorm network) this gets past most
peoples ingress filters, since they're usually not exactly providing layer
3 all the way to the student. So when you send in a DoS complaint about
1.2.3.182, the campus computer nerd looks it up, and goes to knock on that
persons door. Little do they know that the actual compromised machine is
1.2.3.97 spoofing it. You ever tried explaining this to the campus nerd?
Not pretty!
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
More information about the NANOG
mailing list