Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T
Danny McPherson
danny at tcb.net
Wed Jun 2 19:01:13 UTC 2004
On Jun 2, 2004, at 12:36 PM, Richard A Steenbergen wrote:
> If it walks like a duck, and it sounds like a duck, it is probably a
> duck.
> RFC1918 sourced space, most likely from misconfigured NATs and such,
> account for only a very small amount of the bogon-source packets which
> go
> splat.
But worms, OTOH, seems to be much more persistent.
> Most of the DoS attempts by volume don't fall into the category of
> questionable. When you see a 100Mbps stream (from a single ingress
> interface, with consistant TTL's) of IP proto 0 or 255, or tcp port 0,
> or
> classic SYN flooders (SYN w/no MSS) or stream (randomized seq# and
> fixed
> ack# on a packet w/TH_ACK flag only) targetting a specific IP/port
> with a
> source address of iph.ip_src.s_addr = random(), it is pretty easy to
> tell
> those apart from the usual background noise of a worm.
Sure..
> Some days it helps to actually have an operational network, instead of
> being a researcher. Even without interesting tools it isn't terribly
> hard
> to look at your PNI graphs, match up the hundreds-of-meg spikes with
> specific DoS incidents, and go from there. Not to point fingers at
> anyone
> in particular, but it seems to be the same foreign networks who tend to
> have little control over their spammers.
Heh.. I certainly don't consider myself a researcher, or an
operator (any longer) for that matter (though I do have access
to a significant amount of both research and operational data
and tend not to call a duck a goose simply because I heard
a quack :-)
-danny
More information about the NANOG
mailing list