[Tier1 ISP]: Vulnerable to a new DDoS amplification attack
la at qrator.net
Thu Dec 22 17:09:15 UTC 2016
Default route loop, thats definitely new ;)
Protip: always do prior works research.
On Thu, Dec 22, 2016 at 7:56 PM, Tom Beecher <beecher at beecher.cc> wrote:
> Jean sent me details. I won't share the link or password to it based on his
> request, but he hasn't found anything new, and it's not even amplification
> at all.
> What he did was send 1500 byte ICMP packets with a max TTL at an IP address
> that is not reachable due to a routing loop. No amplification is occurring
> ; it's just the same packets hanging around longer looking for free food
> because of the TTL.
> I think he _assumed_ amplification was happening because link utilization
> between his lab routers doing the looping was increasing. Totally expected
> when you're using --flood and in a lab environment where the TTL entering
> the loop is still above 250. :)
> On Thu, Dec 22, 2016 at 11:48 AM, William Herrin <bill at herrin.us> wrote:
> > On Thu, Dec 22, 2016 at 11:04 AM, Ken Chase <math at sizone.org> wrote:
> > > Maybe he's found what's already known and posted 2 months ago (and
> > 2 months?)
> > > on nanog, the TCP 98,000x amplifier (which is a little higher than
> > 100x), among
> > > dozens of misbehaving devices, all >200x amp.
> > >
> > > https://www.usenix.org/system/files/conference/woot14/
> > Hi Ken,
> > He said, "There is no need for spoofing " so it wouldn't be that one.
> > Jean,
> > Respectfully: you're not well known to us as having identified earth
> > shattering vulnerabilities in the past. We hear about utterly
> > unimportant "priority one" events every single day, so without enough
> > information to assess whether you're looking at is something new,
> > important or even possible within our various architectures, few of us
> > will be inclined to take you seriously.
> > We're all too familiar with the consequence of giving credence to
> > people who say "believe me" instead of offering verifiable fact.
> > I respect that you're trying to help, but "I have something important
> > to tell you, please contact me off list" is not the way to do that.
> > And if it turns out we should have listened and kept this secret as
> > long as possible, well, that's on us. ;)
> > Regards,
> > Bill Herrin
> > --
> > William Herrin ................ herrin at dirtside.com bill at herrin.us
> > Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
CEO | Qrator <http://qrator.net/>* Labs*
office: 8-800-3333-LAB (522)
mailto: la at qrator.net
More information about the NANOG