North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: NANOG meeting subject of attack? Hmmmm....

  • From: Hank Nussbacher
  • Date: Thu Feb 10 03:49:16 2000 
At 20:21 09/02/00 -0500, Travis Pugh wrote:

Interesting and may have nothing to do with it, but:

http://moat.nlanr.net/TopThroughput/

Starting at 2/2/2000, I have seen the top 100 Internet-2 flows to be
significantly higher than a month ago.

I would also look at vBNS:

http://www.vbns.net/stats/flows/data/results/hibw/

Feel free to do the analysis and see if anything of interest turns up.

Regards,
Hank

>
>
>On the subject of cooperation, has anyone set out to catalog where these
>attacks are coming from, at least in terms of compromised networks,  and
>share said information?  I know similar catalogs sprang up in response to
>smurfs ... is it time to start listing offending networks?  Even better,
>does anyone know if the attacks are using something like TFN2K and using
>dummy  addresses to obfuscate real attacking hosts?
>
>I see a lot of talk of attacked sites putting up router filters to
>stop attacks.  Can anyone who knows let the rest of us in on what was
>filtered ... was Yahoo taken down with a flood of HTTP GETs, ICMP, UDP, 
>SYN floods, or what?  If this is a DDoS, the attack could probably be
>fingerprinted  ... this would be very useful information if we are going
>to see more tomorrow.  Do we know if the source addys are spoofed, and if
>an attacker could turn off spoofing, revealing the source of the traffic
>but getting around some filtering?
>
>I am making the assumption that the last three days' attacks  were caused
>by the same person or persons.  But the intent is the same regardless
>... we can all go back and forth on NANOG about what might be happening,
>and wait for the feds to chase down the attacker(s), or people who have
>been attacked or might be attacked can compare notes and try to get an
>idea of where the attacks are coming from and exactly what they are.
>
>Any relevant info would be appreciated.  Nobody knows who is next.
>
>-travis
>
>
>On Wed, 9 Feb 2000, Joe Shaw wrote:
>
>> 
>> 
>> Make it a law, and they will.  But I don't think laws are the answer
>> to cooperation.  The Tier1's should take the time to work together on
>> their own before they are forced to in a way they may not like.
>> 
>> --
>> Joseph W. Shaw - [email protected]    
>> Computer Security Consultant and Programmer
>> Free UNIX advocate - "I hack, therefore I am."
>> 
>> On Wed, 9 Feb 2000, Henry R. Linneweh wrote:
>> 
>> > they should be made to co-operate with the backbone provider and not have
>> > much choice in the matter.
>> 
>> 
>> 
>
>
>