The impending DDoS storm
Jason Frisvold
friz at corp.ptd.net
Wed Aug 13 15:07:11 UTC 2003
On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote:
> More info:
>
> -Opens a raw socket and spoofs its source address
It *appears* to us through current testing that the source address
spoofed is always within the class of the current subnet... So, a
spoofing filter that denies all but the local subnet may only be
partially affective..
> -Randomizes its source port, but destination is always TCP/80
> -Does one DNS lookup on "windowsupdate.com" and then uses the IP
> returned
> -The window size is always 16384 (this might be useful)
It also looks like there is no throttling at all.. it abuses as much
bandwidth as it possibly can...
>
> Regards,
> ===============================
> Daniel Ingevaldson
> Engineering Manager, X-Force R&D
> dsi at iss.net
> 404-236-3160
>
> Internet Security Systems, Inc.
> The Power to Protect
> http://www.iss.net
> ===============================
>
>
> -----Original Message-----
> From: Jason Frisvold [mailto:friz at corp.ptd.net]
> Sent: Wednesday, August 13, 2003 10:50 AM
> To: Ingevaldson, Dan (ISS Atlanta)
> Cc: Stephen J. Wilcox; nanog at merit.edu
> Subject: RE: The impending DDoS storm
>
>
> On Wed, 2003-08-13 at 10:14, Ingevaldson, Dan (ISS Atlanta) wrote:
> > It might be somewhat tricky to block TCP/80 going to
> > windowsupdate.com.
>
> I agree... but then, who needs updates anyways.. *grin*
>
> > Regards,
> > ===============================
> > Daniel Ingevaldson
> > Engineering Manager, X-Force R&D
> > dsi at iss.net
> > 404-236-3160
> >
> > Internet Security Systems, Inc.
> > The Power to Protect
> > http://www.iss.net
> > ===============================
> >
> >
> > -----Original Message-----
> > From: Stephen J. Wilcox [mailto:steve at telecomplete.co.uk]
> > Sent: Wednesday, August 13, 2003 10:38 AM
> > To: Jason Frisvold
> > Cc: nanog at merit.edu
> > Subject: Re: The impending DDoS storm
> >
> >
> >
> >
> > On Wed, 13 Aug 2003, Jason Frisvold wrote:
> >
> > > All,
> > >
> > > What is everyone doing, if anything, to prevent the apparent
> > upcoming
> > > DDoS attack against Microsoft? From what I've been reading, and
> > > what
> > > I've been told, August 16th is the apparent start date...
> > >
> > > We're looking for some solution to prevent wasting our network
> > > resources transporting this traffic, but at the same time trying to
> > > allow legitimate through...
> > >
> > > So, is anyone planning on doing anything?
> >
> > See previous discussion on filtering...
> >
> >
> > Other than that experience says if these things turn out to be big
> > enough to cause an issue then they quickly burn themselves out anyway
> >
> > Steve
--
---------------------------
Jason H. Frisvold
Backbone Engineering Supervisor
Penteledata Engineering
friz at corp.ptd.net
RedHat Engineer - RHCE # 807302349405893
Cisco Certified - CCNA # CSCO10151622
MySQL Core Certified - ID# 205982910
---------------------------
"Imagination is more important than knowledge.
Knowledge is limited. Imagination encircles
the world."
-- Albert Einstein [1879-1955]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20030813/3d895926/attachment.sig>
More information about the NANOG
mailing list