North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: DOS Attacks and reliable network contact data.

  • From: rdobbins
  • Date: Sun Oct 22 13:06:10 2000

That's why MPLS is such a Good Thing - attacks which would cripple
72xx-series & 75xx-series routers can actually be handled without flinching,
as the CPU overhead is reduced tremendously by making use of the switch's
muscle and efficiency.

One of my customers was getting DoSed all the time; his router (7206,
NPE-150) was seeing 75%-100% CPU utilization during these times (average was
50%).  We took that 7206 and used it as the MLS-RP for a Catalyst 5509 he
had lying around (Sup-III, NFFC II), and now he just hums along when they
try and zorch his router.  An attack which would max him out at 100% before
now drives his CPU to perhaps 25%.

His -average- CPU load went down from the aforementioned 50% to 5%, all
without changing the router in any way other than turning it into the
layer-3 engine for the switch.  A pretty decent solution, for having been
put together from existing equipment.

-----------------------------------------------------------
Roland Dobbins <[email protected]> // 818.535.5024 voice 

-----Original Message-----
From: Basil Kruglov [mailto:[email protected]]
Sent: Saturday, October 21, 2000 4:05 PM
To: [email protected]
Subject: Re: DOS Attacks and reliable network contact data.



On Sat, Oct 21, 2000 at 05:14:53PM -0400, Jason Slagle wrote:

> 21259901:21259901(0) ack 1412091198 win 2144 <mss 536>
> 22:30:52.822459 255.255.255.255.80 > 205.133.127.30.6667: R 0:0(0) ack
> 2473479669 win 0
> 22:30:52.822711 210.251.128.255.80 > 205.133.127.30.6667: R 0:0(0) ack
> 529389642 win 0
> 22:30:52.822962 195.53.123.0.80 > 205.133.127.30.6667: . ack 1625272127
> win 9112 (DF)
> 22:30:52.823213 152.158.37.127.80 > 205.133.127.30.6667: R 0:0(0) ack
> 1362286194 win 0

We do get this sort of crap daily at least 5 times a day, distributed
tcp/ack, tcp/syn, etc, over 40-50Kpps+ sometimes.. my list of over ~230
slave networks (in /24 format). Kids are after taking CPUs in routers
out and not killing you with hundrends and hundreeds of Mbps, 
high-pps attacks are also very nasty, and of course everything 
is over some stupid IRC issue.

> Their exists no reliable way to get the contact of a network without first
> querying arin, then apnic, then the .jp registry for instance.  This is a
> royal PITA and is in no way scriptable that I can see.

What is neat is all those 'slaves' are spoofing inside their own /24
or whatever allocation they sit in, and it's very hard to persuade somebody
to look into this as they claim those ip addresses are not in use or
have only routers/switches and there is no way those devices could've 
generated a [d]DoS attack.

--
Basil Kruglov [BK252-ARIN]
Network Engineering and Security
CIFNet, Inc.