More on the DDoS Attack

Eric Gauthier eric at roxanne.org
Fri Sep 5 23:16:54 UTC 2003


> To those providers who have started filtering some if not all of the 
> spoofed traffic, and those have been nuking the zombied hosts.
> 
> Please accept my thanks, it seems that enough has been stopped so the 
> DNS and websites are now available again.

In case you're curious as to how most of the Universities are handling things,
this is a pretty good article:

http://www.washingtonpost.com/ac2/wp-dyn/A25845-2003Sep4?language=printer

On our campus, we've had about 11,000 systems arrive in our dorms over
the past 10 days.  When a computer plugs in, its vlan'ed into a private
network and the user is taken through a system registration process
(we use some spoofed DNS and webserver tricks to get them started).  During 
the registration process, we scan each computer.  If we catch something, 
we force them to run a list of patching/cleaning tools before we allow the 
system to be registered.  By Wednesday at 5pm, we'd stopped 3,400 computers 
and forced them to patch/clean.  So far, we've found only about 400 or so 
systems that squeeked by still infected with Blaster or Sobig.F, but we've 
been able to contact their owners and clean all but 68 of them; these 68 are 
now shut off the network.

I'm sure my team (the network guys) or our securty team would be more
than happy to share what we've done with anyone interested, I'd imagine
that it would work very well in a cable-modem/DSL environment.  Drop me a
note off-list.

Thanks for letting me chew up your time and bandwidth...

Eric :)



More information about the NANOG mailing list