ICANN Targets DDoS Attacks

• Previous message (by thread): ICMP filtering, was Re: ICANN Targets DDoS Attacks
• Next message (by thread): ICANN Targets DDoS Attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Oct 29, 2002 at 06:00:06PM -0500, Ken Chase wrote:
> On Tue, Oct 29, 2002 at 04:11:49PM -0500, Jared Mauch's all...
> 
> > 	Once again, i'd like to see (other than a performance
> > checking customer) generate more than 2Mb/s of icmp.echo and icmp.echo-reply
> > packets that are legit and not part of a DoS.  This is quite rare.
> 
> little blip in the internet, and all your intelligent customers running
> linux use their leet tools to figure out whats wrong. They all run
> mtr vs their preferred sites. Mtr generates one ICMP packet (~80 bytes?)
> of traffic PER hop in the trace. A route of 20+ hops, means 1600 bytes/s
> per customer (thats 12.8Kbps). 150 customers later you got 2Mbps of
> traffic (2Mb/s is 2 megaBIT per second right? you didnt mean 2 mega BYTES
> per second? in which case *8).
> 
> Is 150 customers a large number?
> 
> And there are lots of nice graphical traceroute tools for windoze as well
> of course, dont know their packet load in full operation however.
> 
> Silly me, sometimes I leave mtrs running. I've found 2-3 going all at
> once at times. <slap!/>
> 
> Why is ICMP rate limiting on ECHO and ECHO reply going to stop all DOS
> attacks?  What are they going to do about UDP floods? (Are they proposing

	I don't recall saying it will stop all DoS attacks.

	It will help minimize them.

	Please discontinue imagination.  You obviously don't understand how
traceroute works by sending udp packets and getting icmp ttl expired
messages back which are not icmp {echo,echo-reply}.  Come back when you do
understand how it works.  /sigh

> that DDOS attacks are all smurf based? They've just found a solution to 1996's
> problems? Amazing!)

	They're not, but there is still a large amount of things that
just do ping -f <10.2.3.4> and similar types of attacks.  If you know
what your usual patterns are, it's easy to notice what is out of
place.

> [ hopefully this post makes it to nanog. my posts've been going to /dev/null
> with previous attempts ]
> 
> /kc
> 
> > 
> > 	Do your own stats and test your hardware.
> > 
> > 	- jared
> > 
> > -- 
> > Jared Mauch  | pgp key available via finger from jared at puck.nether.net
> > clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
> 
> -- 
> Ken Chase, math at velocet.ca  *  Velocet Communications Inc.  *  Toronto, CANADA 

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

• Previous message (by thread): ICMP filtering, was Re: ICANN Targets DDoS Attacks
• Next message (by thread): ICANN Targets DDoS Attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]