|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: FW: Re: Is there a line of defense against Distributed Reflectiveattacks?
Hi, NANOGers. You just knew I couldn't stay out of this thread for long. ;) ] I'd note that UUNET also went through some pain to push CPE configs with ] 'good' passwds for telnet and enable, now there are tens (perhaps ] hundreds) of CPE routers with 'cisco' as the vty passwd... Don't During the year 2002 I added at least 17683 compromised Cisco routers to my hacked device database. One bot included a list of 2827 compromised Cisco routers for use as bounces. Most of these are CPE routers, not ISP-managed routers. All of them had cisco/cisco as the login and password. This isn't limited to Cisco routers, however. I collected an impressive list of broadband and other vendor routers as well, for a total of just over 30K compromised routers in 2002. As Chris points out, this is an issue that requires vigilance beyond teams at ISPs. ] addresses... Rob Thomas has some good data on attacks against IRC ] servers and other hosts on the internet, his data last I recall was ] something like 80% of attacks use spoofed addresses, though more and more In 2002 I logged several thousand DDoS attacks. Approximately 70% used bogon source addresses or spoofing, but that trend was changing by the end of the year. In 2003 I have logged approximately 267 DDoS attacks, NONE of which used spoofing. Does anti-spoofing help? Absolutely! Is it a cure-all? No. The combination of very large (circa 94K) botnets and DoSnets and the failure of many providers to respond to abuse alerts means that the miscreants don't generally need to spoof. A study I performed of an often-attacked site showed that a bit over 60% of all the naughty packets were from _obvious_ bogon addresses. The total amount of spoofing is difficult to deduce. You can view the data included in a presentation here: http://www.cymru.com/Presentations/60Days.ppt http://www.cymru.com/Presentations/60Days.zip Blocking spoofing and bogons (remember, uRPF works best if the RIB is free from garbage) is worth the time. Building a strong and motivated security team is even more valuable. :) ] For those that wonder 'how would you track that? It's spoofed!' please ] visit: http://www.secsup.org and read the provided links... its simple, This is an excellent resource, and I encourage everyone to review it. Tracking spoofed-source attacks is far easier than you may believe. I have a lesser and rather lame method here: http://www.cymru.com/Documents/tracking-spoofed.html The method from UUNET is far superior. :) The point is that spoofed source packets can be tracked. All that aside, the method and ease of tracking makes no difference if the source of pain is unwilling or unable to respond. I'm certain everyone now realizes that Internet security is all about "The Other Guy." Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
|