North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Bogon list or Dshield.org type list

  • From: michael.dillon
  • Date: Mon Jul 29 06:39:25 2002

Having recently read David Moore's paper on backscatter analysis, 
http://www.caida.org/outreach/papers/2001/BackScatter/
this data is interesting because most of these filters seem to be blocking 
an amount of traffic proportional to their size.

>Extended IP access list 120 (Compiled)
>    permit tcp any any established (243252113 matches)
>    deny ip 0.0.0.0 1.255.255.255 any (825328 matches)
                    ^^^                 ^^^^^^
The netmask is twice as large and it blocks twice the traffic as the 
following three blocks.

>    deny ip 2.0.0.0 0.255.255.255 any (413487 matches)
>    deny ip 5.0.0.0 0.255.255.255 any (410496 matches)
>    deny ip 7.0.0.0 0.255.255.255 any (413621 matches)
>    deny ip 10.0.0.0 0.255.255.255 any (1524547 matches)
RFC 1918 space is different from the rest.

<some deleted to save space> 

>    deny ip 72.0.0.0 7.255.255.255 any (3300703 matches)
                     ^^^                 ^^^^^^^
Eight times as big blocks eight times as much traffic

<some deleted to save space>

>    deny ip 224.0.0.0 31.255.255.255 any (13165320 matches)
And the relationship holds even up here in the multicast range.

However, since you are seeing this on your ingress filters, this can't be 
backscatter. It must be incoming attack traffic and since the traffic is 
evenly distributed over the entire IPv4 address space, you can calculate 
how much attack traffic is still getting through by adding up the amount 
of IPv4 address space that you aren't filtering. If you would look at the 
destination IP addresses from some of the netblocks in the above list, 
then you could identify which of your machines (or your customer machines) 
are being attacked.

This now provides enough information to identify attack traffic close to 
its source. If you would publish the destination addresses and time 
periods of the attacks then other people could look in their netflow data 
for traffic from bogon addresses to your destination. A central repository 
like dshield.org for this data would be interesting.

Other than for idle curiosity, I think this is interesting because there 
is the real possibility of being able to identify an attacker and victim 
soon enough after an attack begins that the victim could issue legal 
warnings to the attacker and possibly follow up in the courts. I would 
think that after a few well-publicised cases, the owners of compromised 
machines used to initiate DDOS attacks will begin to secure their machines 
the way they should have in the first place.

-- Michael Dillon