North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: The impending DDoS storm
On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote: > More info: > > -Opens a raw socket and spoofs its source address It *appears* to us through current testing that the source address spoofed is always within the class of the current subnet... So, a spoofing filter that denies all but the local subnet may only be partially affective.. > -Randomizes its source port, but destination is always TCP/80 > -Does one DNS lookup on "windowsupdate.com" and then uses the IP > returned > -The window size is always 16384 (this might be useful) It also looks like there is no throttling at all.. it abuses as much bandwidth as it possibly can... > > Regards, > =============================== > Daniel Ingevaldson > Engineering Manager, X-Force R&D > [email protected] > 404-236-3160 > > Internet Security Systems, Inc. > The Power to Protect > http://www.iss.net > =============================== > > > -----Original Message----- > From: Jason Frisvold [mailto:[email protected]] > Sent: Wednesday, August 13, 2003 10:50 AM > To: Ingevaldson, Dan (ISS Atlanta) > Cc: Stephen J. Wilcox; [email protected] > Subject: RE: The impending DDoS storm > > > On Wed, 2003-08-13 at 10:14, Ingevaldson, Dan (ISS Atlanta) wrote: > > It might be somewhat tricky to block TCP/80 going to > > windowsupdate.com. > > I agree... but then, who needs updates anyways.. *grin* > > > Regards, > > =============================== > > Daniel Ingevaldson > > Engineering Manager, X-Force R&D > > [email protected] > > 404-236-3160 > > > > Internet Security Systems, Inc. > > The Power to Protect > > http://www.iss.net > > =============================== > > > > > > -----Original Message----- > > From: Stephen J. Wilcox [mailto:[email protected]] > > Sent: Wednesday, August 13, 2003 10:38 AM > > To: Jason Frisvold > > Cc: [email protected] > > Subject: Re: The impending DDoS storm > > > > > > > > > > On Wed, 13 Aug 2003, Jason Frisvold wrote: > > > > > All, > > > > > > What is everyone doing, if anything, to prevent the apparent > > upcoming > > > DDoS attack against Microsoft? From what I've been reading, and > > > what > > > I've been told, August 16th is the apparent start date... > > > > > > We're looking for some solution to prevent wasting our network > > > resources transporting this traffic, but at the same time trying to > > > allow legitimate through... > > > > > > So, is anyone planning on doing anything? > > > > See previous discussion on filtering... > > > > > > Other than that experience says if these things turn out to be big > > enough to cause an issue then they quickly burn themselves out anyway > > > > Steve -- --------------------------- Jason H. Frisvold Backbone Engineering Supervisor Penteledata Engineering [email protected] RedHat Engineer - RHCE # 807302349405893 Cisco Certified - CCNA # CSCO10151622 MySQL Core Certified - ID# 205982910 --------------------------- "Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world." -- Albert Einstein [1879-1955] Attachment:
signature.asc
|