North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: dsl providers that will route /24
-- Jason Slagle - CCNP - CCDA Network Administrator - Toledo Internet Access - Toledo Ohio - [email protected] - [email protected] - WHOIS JS10172 /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . If dreams are like movies then memories X - NO HTML/RTF in e-mail . are films about ghosts.. / \ - NO Word docs in e-mail . - Adam Duritz - Counting Crows On Thu, 29 Mar 2001, David Schwartz wrote: > They could do almost exactly the same amount of damage with an unspoofed > UDP flood and it would still take a human action to stop it. The attack can > still hop from victim to victim until the problem is stopped at its source. > The problem still won't get stopped at its source until someone with the > ability to stop it is summoned and alterted to the problem. > > Odds are, an attacker will used spoofed packets if he can. potentially > spoofed packets will trigger an investigation on my network. An unspoofed > UDP flood probably won't (especially if it hops from victim to victim). > > So if the attacker uses spoofed packets, he may get cut off at the source > (and the problem actually solved) sooner. On the other hand, unspoofed > packets will probably trigger a call to the administration of the source > network faster. Of course, you don't know that attack is unspoofed, so you > really can't be sure what the source is. I can argue the converse of this. Unless the attacker is spoofing a static source, I can usually spot a potentially unspoofed attack. Even if he IS using a static spoofed source, it only costs me a little bit to call and see if the packets are indeed coming from the machine in question. If I'm being attacked hard, chances are, I will notice it before you examine your logs, unless like I said you have someone monitoring then 24 hours a day. I will then try to wake up a live body on your end to investigate. If the packets are spoofed, I have to wait for you to examine your logs to potentially stop it, or attempt to get an upstream to do a traceback, which is a long drawn out process. Personally, I prefer to leave the ability to determine the likely source of a non random attack in my hands, not waiting for you to view your logs. And nothing says I CAN'T log if I deny spoofed packets, therefor catching them when they try spoofed packets before realizing they won't work. Jason
|