[Tier1 ISP]: Vulnerable to a new DDoS amplification attack

Alexander Lyamin la at qrator.net
Thu Dec 22 17:09:15 UTC 2016


Whoa.

Default route loop, thats definitely new ;)

Protip:   always do prior works research.

On Thu, Dec 22, 2016 at 7:56 PM, Tom Beecher <beecher at beecher.cc> wrote:

> Jean sent me details. I won't share the link or password to it based on his
> request, but he hasn't found anything new, and it's not even amplification
> at all.
>
> What he did was send 1500 byte ICMP packets with a max TTL at an IP address
> that is not reachable due to a routing loop. No amplification is occurring
> ; it's just the same packets hanging around longer looking for free food
> because of the TTL.
>
> I think he _assumed_ amplification was happening because link utilization
> between his lab routers doing the looping was increasing. Totally expected
> when you're using --flood and in a lab environment where the TTL entering
> the loop is still above 250. :)
>
> On Thu, Dec 22, 2016 at 11:48 AM, William Herrin <bill at herrin.us> wrote:
>
> > On Thu, Dec 22, 2016 at 11:04 AM, Ken Chase <math at sizone.org> wrote:
> > > Maybe he's found what's already known and posted 2 months ago (and
> every
> > 2 months?)
> > > on nanog, the TCP 98,000x amplifier (which is a little higher than
> > 100x), among
> > > dozens of misbehaving devices, all >200x amp.
> > >
> > >  https://www.usenix.org/system/files/conference/woot14/
> woot14-kuhrer.pdf
> >
> > Hi Ken,
> >
> > He said, "There is no need for spoofing " so it wouldn't be that one.
> >
> >
> > Jean,
> >
> > Respectfully: you're not well known to us as having identified earth
> > shattering vulnerabilities in the past. We hear about utterly
> > unimportant "priority one" events every single day, so without enough
> > information to assess whether you're looking at is something new,
> > important or even possible within our various architectures, few of us
> > will be inclined to take you seriously.
> >
> > We're all too familiar with the consequence of giving credence to
> > people who say "believe me" instead of offering verifiable fact.
> >
> > I respect that you're trying to help, but "I have something important
> > to tell you, please contact me off list" is not the way to do that.
> >
> > And if it turns out we should have listened and kept this secret as
> > long as possible, well, that's on us. ;)
> >
> > Regards,
> > Bill Herrin
> >
> >
> >
> > --
> > William Herrin ................ herrin at dirtside.com  bill at herrin.us
> > Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
> >
>



-- 

Alexander Lyamin

CEO | Qrator <http://qrator.net/>* Labs*

office: 8-800-3333-LAB (522)

mob: +7-916-9086122

skype: melanor9

mailto:  la at qrator.net


More information about the NANOG mailing list