ICANN Targets DDoS Attacks

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Oct 31 03:13:11 UTC 2002


On Wed, 30 Oct 2002 13:35:38 PST, "Crist J. Clark" said:

(OK.. *technically*, Christ is correct.. you can't tell.. but still)

> On the classless Internet, how does any router know what is or is not
> a broadcast address when the final destination is not local?

Bitch bitch whine whine.

Why is it that the people who *RUN* the network have so much difficulty
identifying such things, when a bunch of script kiddies(*) can put up a
web site with a nice list, sorted by number of generated packets per
ping packet?  If all other creativity fails, visit the website, see if
any of the addresses fall into your customer's space, and call them if
you find any.

Let's face it - this wouldn't be an issue if it wasn't well within the
ability of the average 15-year-old pimply-faced script kiddie to figure
out.

OK. Sorry. It's been waaay too long a day, I'm done venting now. ;)

On a more practical note, you don't really care *that* much about an ICMP Echo
Request coming out of one of your customers (at least as long as the address is
in their space, but that's just ingress/egress filtering ;) heading to some
address at an ISP in some Third World country.  And as noted, there isn't much
you can do about it.  What you *do* care about is a packet coming in and headed
to one of your customer's broadcast addresses.  You care because if they're a
smurf amp, you're about to get hit by a packet flurry, and because you're close
enough to be able to *do* something about it. And let's face it - if you've
sold them a /24(**), then the .255 address is quite likely a broadcast packet (even
if they have subnetted the /24 - think about it).  The only other option is if
they've use a /31 to number a router link at the very top of their space - and
in that case, re-read RFC3021, section 2.2.1 ;)

OK.. Now where did I leave my asbestos underwear? ;)

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

(*) And yes, I know that the *famous* list isn't done by script kiddies,
but it's not the only one. ;)

(**) And don't whine about if you sold them something other than a /24 -
there's enough /24's to make it worthwhile....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20021030/a4371410/attachment.sig>


More information about the NANOG mailing list