|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Growing DoS attacks
Has anyone tried running something like this? http://www.hackbusters.net/LaBrea/ ----- Original Message ----- From: "Clayton Fiske" <[email protected]> To: "Jared Mauch" <[email protected]> Cc: "Paul Froutan" <[email protected]>; <[email protected]> Sent: Wednesday, January 16, 2002 12:23 PM Subject: Re: Growing DoS attacks > > On Wed, Jan 16, 2002 at 01:18:14PM -0500, Jared Mauch wrote: > > > > are you seeting these attacks be related to the lack of > > anti spoofing filters? where do they tend to be originating these > > days? > > > > i suspect that 1) smurf amps that are still not fixed, 2) > > high speed connectivity at homes (cable, .. some dsl still,) are allowing > > people to send spoofed packets at higher rates. > > > > that combined and the number of windows based servers that > > have been exploited (nimda, etc..) and those can be used also to send > > spoofed packets at higher rates. > > Our network is pretty much entirely end users. At the moment, we're > seeing a non-spoofed DDoS attack that's been ongoing for several days. > I've been trying to track and block, but the problem is that it seems > to be many different users with infected machines and only one or two > at a time are actually sending packets (SYNs at that, so not so easy > to blanket filter even in the short-term) at any given time. I watched > it for several hours and I would see one user send 10-50k packets then > stop, then the next user, etc. In the whole time I was watching I never > saw the same IP twice. I thought it could be spoofing, but as I ran > pings on whichever source IP I saw I got no response, then when they > stopped attacking I would start to get ping responses. I'm still at it, > but as I approached 100 unique sources I realized there's probably not > a lot of hope of effectively blocking it. I could filter the destination > for that entire pop, but: > > a) I can almost guarantee I would be "administratively prohibited" from > doing so, given the popularity of the site in question. > > b) It's a major website with gobs of bandwidth, which thus far seems > entirely unaffected by the attack. I am contacting them to verify > this, but every time I've checked the page comes up instantly and > there's no latency to speak of in traceroutes. > > c) The amount of time the filter would have to stay in place is > unknown (so same reason as a) basically) because of the amount > of administrative hassle to track down every user and not only > block them but also get them to fix it (which, without having any > real idea what agent they're running, will be difficult in itself). > > We are still working at this, but I'm wondering whether any other DSL > or cable providers out there are seeing similar. > > -c >
|