DDoS attacks, spoofed source addresses and adjusted TTLs

Mike Tancsa mike at sentex.net
Wed Aug 3 14:24:03 UTC 2005



I had a DDoS this morning (~ 130Mb) against one of my hosts. Packets were 
coming in all 3 of my transit links from a handful of source IP addresses 
that sort of make sense in terms of the path they would take to get to 
me.  They were all large UDP packets of the form

09:08:58.981781 xx:xx:xx:xx:xx:xx yy:yy:yy:yy:yy:yy 0800 1514: 
82.165.244.204 > ta.rg.et.IP: udp (frag 47080:1480 at 1480+) (ttl 54, len 1
500)
0x0010   yyyy yyyy 4242 4242 4242 4242 4242 4242            BBBBBBBBBBBB
0x0020   4242 4242 4242 4242 4242 4242 4242 4242        BBBBBBBBBBBBBBBB
0x0030   4242 4242 4242 4242 4242 4242 4242 4242        BBBBBBBBBBBBBBBB
0x0040   4242 4242 4242 4242 4242 4242 4242 4242        BBBBBBBBBBBBBBBB
0x0050   4242 4242 4242 4242 4242 4242 4242 4242        BBBBBBBBBBBBBBBB
0x0060   4242 4242 4242 4242 4242 4242 4242 4242        BBBBBBBBBBBBBBBB

The TTLs all kind of make sense and are consistent (e.g. if the host is 8 
hops away, the TTL of the packet when it got to me was 56).  Yes, I know 
those could be adjusted in theory to mask multiple sources, but in practice 
has anyone seen that ? I seem to recall reading the majority of DDoS 
attacks do not come from spoofed source IP addresses.

Of the traffic snapshot I took, the break down seems to jive as well with 
the PTR records. i.e. PTR records that indicate a home broadband connection 
were less than PTR records suggesting a server in a datacentre 
somewhere.  A few of the IPs involved capturing 1000 packets on one of my 
links at the time.

  210 207.58.177.151 - server.creditprofits.com
  287 65.39.230.20 -  server4.xlservers.com
   11 67.52.82.118 - rrcs-67-52-82-118.west.biz.rr.com
  492 82.165.244.204 - u15178515.onlinehome-server.com

It was pretty short lived as well -- about 8 min total.


         ---Mike




--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike at sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike




More information about the NANOG mailing list