|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Odd DDoS, anyone else seen this?
Glad to know its not just me.. FYI x.x.0.0 is a valid host address as is x.x.x.0 and it would be technically incorrect to block it assuming it to be a network address and therefore bogon. However this may be a way to do it if we see another attack, altho I would strongly recommend against filtering x.x.x.0 I would doubt that there are any valid x.x.0.0 host on the internet so could filter on that.. Steve On Mon, 25 Nov 2002 [email protected] wrote: > On Mon, 25 Nov 2002, Stephen J. Wilcox wrote: > > > We saw many hundred thousand packets per second entering our network > > from various international peers, each packet was tcp destined to a > > single real end user IP address and sourced from a /16 network address > > eg 61.254.0.0, where the src was random and different on each packet but > > always x.x.0.0 > > Yes. We've asked all our upstreams to block it completely (with varying > degrees of success from it being permenantly blocked at their borders to > "we can't apply filters on your interface"). > > For Junos (I was informed that this is only available in 5.5), you can > filter using: > > 0.0.0.0/0.0.255.255 > > On a cisco you can block using: > > deny ip 0.0.0.0 255.255.0.0 any > > > I was unable to find out more about the data within the packet, the > > sheer volume made diagnosis impossible without killing the routers. > > Looked just like a regular SYN flood to the target IP. Not sure why they > picked source addresses that were so obviously bogus though. > > Can anyone think of a reason why this sort of traffic should be routed at > all? Does anyone actually drop hosts on to addresses ending in x.x.x.0? > > Rich > >
|