|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Growing DoS attacks
On Wed, Jan 16, 2002 at 01:18:14PM -0500, Jared Mauch wrote: > > are you seeting these attacks be related to the lack of > anti spoofing filters? where do they tend to be originating these > days? > > i suspect that 1) smurf amps that are still not fixed, 2) > high speed connectivity at homes (cable, .. some dsl still,) are allowing > people to send spoofed packets at higher rates. > > that combined and the number of windows based servers that > have been exploited (nimda, etc..) and those can be used also to send > spoofed packets at higher rates. Our network is pretty much entirely end users. At the moment, we're seeing a non-spoofed DDoS attack that's been ongoing for several days. I've been trying to track and block, but the problem is that it seems to be many different users with infected machines and only one or two at a time are actually sending packets (SYNs at that, so not so easy to blanket filter even in the short-term) at any given time. I watched it for several hours and I would see one user send 10-50k packets then stop, then the next user, etc. In the whole time I was watching I never saw the same IP twice. I thought it could be spoofing, but as I ran pings on whichever source IP I saw I got no response, then when they stopped attacking I would start to get ping responses. I'm still at it, but as I approached 100 unique sources I realized there's probably not a lot of hope of effectively blocking it. I could filter the destination for that entire pop, but: a) I can almost guarantee I would be "administratively prohibited" from doing so, given the popularity of the site in question. b) It's a major website with gobs of bandwidth, which thus far seems entirely unaffected by the attack. I am contacting them to verify this, but every time I've checked the page comes up instantly and there's no latency to speak of in traceroutes. c) The amount of time the filter would have to stay in place is unknown (so same reason as a) basically) because of the amount of administrative hassle to track down every user and not only block them but also get them to fix it (which, without having any real idea what agent they're running, will be difficult in itself). We are still working at this, but I'm wondering whether any other DSL or cable providers out there are seeing similar. -c
|