North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Under DDoS attack; what do I do now?

  • From: John Fraizer
  • Date: Wed Aug 30 14:44:06 2000

On Wed, 30 Aug 2000, Chris Adams wrote:

> We appear to be under a distributed denial of service attack.  We are
> receiving 7.5+ megabits per second of ICMP traffic (it looks like a
> smurf attack) from all over to a single address (one that was in our
> dialup pool).  We've taken the IP out of our pool and are routing it to
> a separate interface with a computer just setup to capture traffic.

It's a good thing this isn't an IP address from your hosting pool that
just happens to have 1000 websites associated with it, isn't it?

Phone call to Huge customer A:

"Um, ya... Your website, email, blah blah blah are ALL down because we had
to route the IP address you share with 999 other clients to a capture
device.  It seems that is under a DDoS attack.  No,
your sites are not under attack.  You're just suffering as a result of the
ARIN policy that frowns on assigning an IP address to each website and
since our company name doesn't start with "ex" or "gl" we were not given
an exception and can not obtain IP space."

Phone call to upstream B NOC:

"Ya.  We know you're dieing.  We would love to be able to reduce the
impact of this attack but, since we don't have 4000+ individual machines,
we didn't qualify for our own /20 from ARIN.  We know the attack is so
large that it has ground our network to a complete halt and is putting a
serious damper on yours.  We would love to be able to retract the /20
announcement and announce specific /24's for all but the one /24 that the
target address is in but, you know ARIN.  They're the reason you could
only assign us a /25 and static route into us.  Hey, btw: once this is
over, we'll send you some neato pictures of our NAT boxes.  They're
glowing white hot right now!"

John Fraizer
EnterZone, Inc