North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

DOS Attacks and reliable network contact data.

  • From: Jason Slagle
  • Date: Sat Oct 21 17:20:01 2000

I've seen an increase in DOS attacks over the past week or so, of a form I
really haven't encountered before.  Below are some logs.

22:30:52.821705 > R 0:0(0) ack
1062615418 win 0
22:30:52.821956 > R 0:0(0) ack
3046052966 win 0
22:30:52.822208 > S
21259901:21259901(0) ack 1412091198 win 2144 <mss 536>
22:30:52.822459 > R 0:0(0) ack
2473479669 win 0
22:30:52.822711 > R 0:0(0) ack
529389642 win 0
22:30:52.822962 > . ack 1625272127
win 9112 (DF)
22:30:52.823213 > R 0:0(0) ack
1362286194 win 0

Lots and lots of TCP ACK's from broadcast addresses.  Looks like a new
kind of indirect SYN/ACK flood based on broadcast addresses.

Which led me to sort through my logs and do my best to get the amps shut
down, which led me to my current problem/gripe.

Their exists no reliable way to get the contact of a network without first
querying arin, then apnic, then the .jp registry for instance.  This is a
royal PITA and is in no way scriptable that I can see.

Am I wrong?  Does such a thing exist?  What can we do bout these attacks.


Jason Slagle - CCNA - CCDA
Network Administrator - Toledo Internet Access - Toledo Ohio
- [email protected] - [email protected] - WHOIS JS10172
Version: 3.12 GE d-- s:+ a-- C++ UL+++ P--- L+++ E- W- N+ o-- K- w---
O M- V PS+ PE+++ Y+ PGP t+ 5 X+ R tv+ b+ DI+ D G e+ h! r++ y+