[Tier1 ISP]: Vulnerable to a new DDoS amplification attack

Tom Beecher beecher at beecher.cc
Thu Dec 22 16:56:34 UTC 2016

Jean sent me details. I won't share the link or password to it based on his
request, but he hasn't found anything new, and it's not even amplification
at all.

What he did was send 1500 byte ICMP packets with a max TTL at an IP address
that is not reachable due to a routing loop. No amplification is occurring
; it's just the same packets hanging around longer looking for free food
because of the TTL.

I think he _assumed_ amplification was happening because link utilization
between his lab routers doing the looping was increasing. Totally expected
when you're using --flood and in a lab environment where the TTL entering
the loop is still above 250. :)

On Thu, Dec 22, 2016 at 11:48 AM, William Herrin <bill at herrin.us> wrote:

> On Thu, Dec 22, 2016 at 11:04 AM, Ken Chase <math at sizone.org> wrote:
> > Maybe he's found what's already known and posted 2 months ago (and every
> 2 months?)
> > on nanog, the TCP 98,000x amplifier (which is a little higher than
> 100x), among
> > dozens of misbehaving devices, all >200x amp.
> >
> >  https://www.usenix.org/system/files/conference/woot14/woot14-kuhrer.pdf
> Hi Ken,
> He said, "There is no need for spoofing " so it wouldn't be that one.
> Jean,
> Respectfully: you're not well known to us as having identified earth
> shattering vulnerabilities in the past. We hear about utterly
> unimportant "priority one" events every single day, so without enough
> information to assess whether you're looking at is something new,
> important or even possible within our various architectures, few of us
> will be inclined to take you seriously.
> We're all too familiar with the consequence of giving credence to
> people who say "believe me" instead of offering verifiable fact.
> I respect that you're trying to help, but "I have something important
> to tell you, please contact me off list" is not the way to do that.
> And if it turns out we should have listened and kept this secret as
> long as possible, well, that's on us. ;)
> Regards,
> Bill Herrin
> --
> William Herrin ................ herrin at dirtside.com  bill at herrin.us
> Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>

More information about the NANOG mailing list