|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Denial of service attacks apparently from UUNET Netblocks
On Tue, Oct 07, 1997 at 09:30:01AM -0500, Joe Shaw wrote: > On Tue, 7 Oct 1997, Karl Denninger wrote: > > > No. This was a transmission of 1K packets and was not in the style of any > > previously-seen attack that I'm aware of. Its a new thing. > > > > There was no attempt to SYN flood, or hit broadcast addresses, or use > > source-routing. All of that is protected against fairly well here. This > > was a simple "the machines are on a 10Mbps pipe, so hit them with 30Mbps of > > traffic and flood their NIC ports to the point that they're useless". > > That's exactly what we saw here as well, except we did see some broadcast > traffic. They hit us with so much traffic that our 10Mbps link was > useless. The offending sites I got were 192.195.100.1, 128.132.45.105, > 167.152.96.78, but according to the customer they believe those to be > forged. I'm almost certain that at least some of these sites had to be > used, as the source routed traffic should have been stopped at the router. > This did stop the traffic from coming through, but it didn't stop it from > killing the link once it got here. > > Joe Shaw - [email protected] > NetAdmin - Insync Internet Services Our core doesn't pass source-routed traffic at all, nor will it forward traffic destined for a MAC-layer broadcast address anywhere on our core. This doesn't make it impossible to forge packets and play games, but it sure makes it more difficult. If you have the cooperation of those you interconnect with during an attack with this configuration, it makes it rather easy to find the source of the packets, assuming that they continue for some period of time. I can think of only one way to do this which wouldn't involve sourcing the streams from the indicated machines *and* generate the kind of volume we saw. I won't go into it here, because it would be trivial to do, and it might be what actually happened. But if it *IS* then I'm even more pissed off, because that points to severe and unconscionable misconfiguration of hardware within UUNET's core. If *that* is the case then we're going to block all packets eminating from address range(s) implicated in this kind of attack, now or in the future, until the guilty parties fix their configurations. -- -- Karl Denninger ([email protected])| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | NEW! K56Flex modem support is now available Voice: [+1 312 803-MCS1 x219]| 56kbps DIGITAL ISDN DOV on analog lines! Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
|