North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ICANN Targets DDoS Attacks

  • From: Jared Mauch
  • Date: Tue Oct 29 21:07:53 2002 
On Tue, Oct 29, 2002 at 06:00:06PM -0500, Ken Chase wrote:
> On Tue, Oct 29, 2002 at 04:11:49PM -0500, Jared Mauch's all...
> 
> > 	Once again, i'd like to see (other than a performance
> > checking customer) generate more than 2Mb/s of icmp.echo and icmp.echo-reply
> > packets that are legit and not part of a DoS.  This is quite rare.
> 
> little blip in the internet, and all your intelligent customers running
> linux use their leet tools to figure out whats wrong. They all run
> mtr vs their preferred sites. Mtr generates one ICMP packet (~80 bytes?)
> of traffic PER hop in the trace. A route of 20+ hops, means 1600 bytes/s
> per customer (thats 12.8Kbps). 150 customers later you got 2Mbps of
> traffic (2Mb/s is 2 megaBIT per second right? you didnt mean 2 mega BYTES
> per second? in which case *8).
> 
> Is 150 customers a large number?
> 
> And there are lots of nice graphical traceroute tools for windoze as well
> of course, dont know their packet load in full operation however.
> 
> Silly me, sometimes I leave mtrs running. I've found 2-3 going all at
> once at times. <slap!/>
> 
> Why is ICMP rate limiting on ECHO and ECHO reply going to stop all DOS
> attacks?  What are they going to do about UDP floods? (Are they proposing

	I don't recall saying it will stop all DoS attacks.

	It will help minimize them.

	Please discontinue imagination.  You obviously don't understand how
traceroute works by sending udp packets and getting icmp ttl expired
messages back which are not icmp {echo,echo-reply}.  Come back when you do
understand how it works.  /sigh

> that DDOS attacks are all smurf based? They've just found a solution to 1996's
> problems? Amazing!)

	They're not, but there is still a large amount of things that
just do ping -f <10.2.3.4> and similar types of attacks.  If you know
what your usual patterns are, it's easy to notice what is out of
place.

> [ hopefully this post makes it to nanog. my posts've been going to /dev/null
> with previous attempts ]
> 
> /kc
> 
> > 
> > 	Do your own stats and test your hardware.
> > 
> > 	- jared
> > 
> > -- 
> > Jared Mauch  | pgp key available via finger from [email protected]
> > clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
> 
> -- 
> Ken Chase, [email protected]  *  Velocet Communications Inc.  *  Toronto, CANADA 

-- 
Jared Mauch  | pgp key available via finger from [email protected]
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.