[Fwd: Re: DNS DDoS [was: register.com down sev0?]]

virendra rode // virendra.rode at gmail.com
Thu Oct 26 21:57:07 UTC 2006

Hash: SHA1

We ran into similar attacks (couple days back) coming from non-spoofed
address range (being initiated from valid prefixes).

In working (w/ a co-worker of mine) on a network attack situation (trace
process) for a 30,000 user location (serving 60 other school districts)
running BCP38 & rate-limit which got ddos'd w/ about 8mpps.
It appears that these attacks were coming from the inside which not only
saturated devices along its way but also got amplified into several
other networks also causing significant flaps to its peered connection
Besides being distracted with this incredible among of traffic flow our
goal number one goal was to prevent this bleeding, thanks to the
distributed monitoring sensors (maybe we got lucky) we were able to
identify and sink-hole (null route) certain blocks (vlans) while we
worked with the network/desktop team to isolate the infected machines.
This was certainly a hair-pulling experience.

The point that I'm trying to make here is, you can have data coming from
a herd of comprised hosts (bots, self-propagating worms,
spam-relays,fake http get request, backdoors, etc) that can attack
against a well-protected system(s) so any kind of defense mechanism
can/will get defeated.

Then again, it doesn't mean one wouldn't want to follow well practiced
prevention methods.

Just curious, any ddos vendors want to share their success stories :-)


- -------- Original Message --------
Subject: Re: DNS DDoS [was: register.com down sev0?]
Date: Thu, 26 Oct 2006 17:32:56 +0000
From: jerry at jdixon.com
Reply-To: jerry at jdixon.com
To: Robert Boyle <robert at tellurian.com>, owner-nanog at merit.edu,	Patrick
W. Gilmore <patrick at ianai.net>, Nanog <nanog at merit.edu>
<Pine.LNX.4.44.0610260102100.3923-100000 at bawx.pilosoft.com><EFCE96D7-101C-466E-8FCB-AB150E894A98 at ianai.net>
< at tellurian.com>

The network hardware vendors do need to include the feature to support
BCP-38.  It'll help us out on a number of fronts especially with some of
the recent cyber attacks.

We're in process of reaching out to many of the companies and many
providers to encourage the implementation of BCP-38.  We've gotten a lot
of great feedback from many of you and its greatly appreciated.  You
know who you are :)
Especially some of the feedback related to the hardware OS issues.

- -Jerry
Jerry at jdixon.com or jerry.dixon at us-cert.gov

Sent via BlackBerry from Cingular Wireless

- -----Original Message-----
From: Robert Boyle <robert at tellurian.com>
Date: Thu, 26 Oct 2006 12:04:03
To:"Patrick W. Gilmore" <patrick at ianai.net>, nanog at merit.edu
Subject: Re: DNS DDoS [was: register.com down sev0?]

At 11:21 AM 10/26/2006, you wrote:
Unfortunately, as Jared has pointed out, the equipment vendors have
>to help the operators support this.  So let's all call your favorite
>router vendor and ask them when they will have the "ip bcp38" config
>option. :)

Even better would be the option: "no ip bcp38"

Make it so a conscious action is needed to disable it, but PLEASE put
that in the release notes so when the config doesn't "change" we know
that something really did change... :)


Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the NANOG mailing list