North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T
On Jun 2, 2004, at 10:56 AM, Richard A Steenbergen wrote: What people may being seeing is that poorly randomized source attacks areHow do you discriminate *DDOS attacks employing source address spoofing* from broken NATs, rampant worms, PMTU and other related misconfiguration resulting in backscatter and similar garbage - with filter counters? Given, tactically deployed filters in order to mitigate a specific attack to a particular destination would likely glean some value WRT the validity of the source distribution for a given attack, but not generally deployed filters for any destination. And exactly what represents "spoofed" by your definition? Note again that I explicitly called out **DDOS attacks employing source address spoofing**, which is non-inclusive of spoofing in general employed by worms and the like, or common misconfigurations and brokenness that results in the slew of random garbage floating about. I'd be extremely interested in any empirical evidence you have to supportespecially from foreign and certain smaller networks. this, and in better understanding exactly how you determined "foreign and certain smaller networks" were indeed the source of many of these spoofed packets. As a customer of someone who does this kind of filtering and maintainsI agree, if it's filtered before someone observes it, it won't be observed :-) However, distinguishing between coordinated DDOS attacks that employ source address spoofing and "run of the mill" spoofing (by worms and the like) or simple misconfiguration of some sort resulting in "backscatter" is key. -danny
|