|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New Denial of Service Attack on Panix
> The SYN flood coming towards my host X looks like this, at approximately > 2,000 PPS: > > 182.58.239.2.1526 -> 172.30.15.5.80 TCP SYN > 19.23.212.4.10294 -> 172.30.15.5.80 TCP SYN > 93.29.233.68.4355 -> 172.30.15.5.80 TCP SYN > [... on and on ...] > > Tell me how to filter this. I don't think you can, there's no pattern. You could rotate your server address using a very short DNS TTL, though the attacker can follow the changes using DNS so this isn't all that useful even if it would be fun. The filtering has to be done at the leaf that's sending you this. If a provider knows they have only delegated address space PREFIX/LEN to some downstream provider, then they can put a source address filter on all traffic coming up the link such that if the source isn't in the delegated block, the packet is dropped. There are three reasons why this isn't practical either: (1) the number of such leaf points is very, very high; (2) the intelligence required to do the filtering is somewhat rare; (3) complete and correct coverage is the only way to stop this. Therefore we are focusing on a more reactive strategy, which is to find a way to trace these back to the source, and then effect countermeasures. The leaf provider who's allowing these in probably does not know they are being used in this way, and they are probably not within the sound of my voice. If Cisco routers had TCPDUMP capability this would be a lot simpler. If all the routers in the universe had TCPDUMP, and all the router operators had eachother's phone numbers, we could track this to the source in less than five minutes. Alas, the misfit teenagers of the underworld have caught us without any of the tools we need be able to track this down. Damned clever. Now I guess we'll all switch to X.25 after all. We were so close, too. Rats. - - - - - - - - - - - - - - - - -
|