DDoS attacks, spoofed source addresses and adjusted TTLs

Mike Tancsa mike at sentex.net
Wed Aug 3 21:13:22 UTC 2005


At 04:55 PM 03/08/2005, Christopher L. Morrow wrote:
> > hops away, the TTL of the packet when it got to me was 56).  Yes, I know
> > those could be adjusted in theory to mask multiple sources, but in practice
> > has anyone seen that ?
>
>what exactly was the question?

You answered it mostly-- what do people see in the real world-- plain jane 
unadulterated packets, or spoofed / manipulated ones.  Of all the attacks I 
have suffered through, they all seemed to be from legit IP addresses save 
one and that was some time ago.  However, except for 2 people in about 4 
years, I have never gotten a response from various NOC/Abuse desks as to 
whether or not the attacking IPs I identified were in fact part of the 
attack or were spoofed.

However, in the cases where I had customer PCs participating in attacks, 
there seems to be a higher percentage of random source addresses (which get 
dropped before they leave my network). Have that many networks implemented 
RPF as to make spoofed addresses moot ?

         ---Mike 




More information about the NANOG mailing list