WANTED: ISPs with DDoS defense solutions

Christopher L. Morrow chris at UU.NET
Tue Aug 5 19:02:02 UTC 2003




>
> On Tue, 5 Aug 2003, Christopher L. Morrow wrote:
>
> > > Spoofed packets are harder to trace to the source than non-spoofed
> > > packets. Knowing where a malicious packet is very important to the
> >
> > this is patently incorrect: www.secsup.org/Tracking/ has some information
> > you might want to review. Tracking spoofed attacks is infact EASIER than
> > non-spoofed attacks, especially if your network has a large 'edge'.
>
> Errr... you don't need to _track_ non-spoofed attacks - you _know_ where
> the source is.  Instead of going box to box back to the source (most
> likely across several providers) you can immediately go to _their_
> provider.

so long as you are sure they aren't spoofed, yes. The point I mis-made was
that tracking the spoofed attacks back to your edge is quicker since in
many cases the non-spoofed attacks come from 'everywhere' so blocking
traffic becomes a null route very quickly :( (unless the upstreams from
your edge device can absorb the load and the protocol/ports being flooded
are not critical to the business of the box being hammered.



More information about the NANOG mailing list