DDoS attacks, spoofed source addresses and adjusted TTLs
Mike Tancsa
mike at sentex.net
Wed Aug 3 14:24:03 UTC 2005
I had a DDoS this morning (~ 130Mb) against one of my hosts. Packets were
coming in all 3 of my transit links from a handful of source IP addresses
that sort of make sense in terms of the path they would take to get to
me. They were all large UDP packets of the form
09:08:58.981781 xx:xx:xx:xx:xx:xx yy:yy:yy:yy:yy:yy 0800 1514:
82.165.244.204 > ta.rg.et.IP: udp (frag 47080:1480 at 1480+) (ttl 54, len 1
500)
0x0010 yyyy yyyy 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBB
0x0020 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB
0x0030 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB
0x0040 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB
0x0050 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB
0x0060 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB
The TTLs all kind of make sense and are consistent (e.g. if the host is 8
hops away, the TTL of the packet when it got to me was 56). Yes, I know
those could be adjusted in theory to mask multiple sources, but in practice
has anyone seen that ? I seem to recall reading the majority of DDoS
attacks do not come from spoofed source IP addresses.
Of the traffic snapshot I took, the break down seems to jive as well with
the PTR records. i.e. PTR records that indicate a home broadband connection
were less than PTR records suggesting a server in a datacentre
somewhere. A few of the IPs involved capturing 1000 packets on one of my
links at the time.
210 207.58.177.151 - server.creditprofits.com
287 65.39.230.20 - server4.xlservers.com
11 67.52.82.118 - rrcs-67-52-82-118.west.biz.rr.com
492 82.165.244.204 - u15178515.onlinehome-server.com
It was pretty short lived as well -- about 8 min total.
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
More information about the NANOG
mailing list