anycast and ddos

Hank Nussbacher hank at mail.iucc.ac.il
Sun May 8 09:53:29 UTC 2005 

At 01:38 AM 07-05-05 +0000, Christopher L. Morrow wrote:

I scanned my Telescope report of 3,382 spoofed DDOS attacks last week (May 
1-7) and could not find any listed for 216.168.229.0/24, worldnic.com, 
netsol.com or AS6245.

-Hank



>worldnic.com.           86400   IN      NS      ns1.netsol.com.
>worldnic.com.           86400   IN      NS      ns2.netsol.com.
>worldnic.com.           86400   IN      NS      ns3.netsol.com.
>
>;; ADDITIONAL SECTION:
>ns1.netsol.com.         86400   IN      A       216.168.229.228
>ns2.netsol.com.         86400   IN      A       216.168.229.229
>ns3.netsol.com.         86400   IN      A       216.168.229.229
>
>why have 3 records and 2 ips? odd. You'd think they would have more ips in
>that /21 or other /24's to allocate from, just in case they had to
>jettison 1 address which was getting pounded :( (not that these were
>getting attacked per-say, but still)
>
> > [0] - as it seems that the ddos sources were ip address
> >       spoofed (which is why the service still worked for
> >       tcp), i owe paul an apology for downplaying the
> >       immediacy of the need for source address filtering.
> >
>
>It's also not clear that the sources were spoofed, if as Patrick says they
>put in a riverhead(s) (which isn't too far fetched) the normal mode for
>'protection' of DNS is to:
>1) truncate
>2) rate-limit - and cache (I think it caches atleast, I know it will go
>into proxy mode and rate-limit)
>
>truncate forces TCP which allows RHG to verify the source address is
>really asking to chat, rate-limit function keeps 'bad actors' from
>beatting the hell out of the protected resource.
>
>So, without more info from NetSol (seems not to be forthcoming?) about the
>mix of attack traffic (which the RHG will provide) it's hard to state
>definitively that the attack was 'mostly spoofed' :(

More information about the NANOG mailing list