North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T
- From: Danny McPherson
- Date: Wed Jun 02 15:05:08 2004
On Jun 2, 2004, at 12:36 PM, Richard A Steenbergen wrote:
If it walks like a duck, and it sounds like a duck, it is probably a
duck.
RFC1918 sourced space, most likely from misconfigured NATs and such,
account for only a very small amount of the bogon-source packets which
go
splat.
But worms, OTOH, seems to be much more persistent.
Most of the DoS attempts by volume don't fall into the category of
questionable. When you see a 100Mbps stream (from a single ingress
interface, with consistant TTL's) of IP proto 0 or 255, or tcp port 0,
or
classic SYN flooders (SYN w/no MSS) or stream (randomized seq# and
fixed
ack# on a packet w/TH_ACK flag only) targetting a specific IP/port
with a
source address of iph.ip_src.s_addr = random(), it is pretty easy to
tell
those apart from the usual background noise of a worm.
Sure..
Some days it helps to actually have an operational network, instead of
being a researcher. Even without interesting tools it isn't terribly
hard
to look at your PNI graphs, match up the hundreds-of-meg spikes with
specific DoS incidents, and go from there. Not to point fingers at
anyone
in particular, but it seems to be the same foreign networks who tend to
have little control over their spammers.
Heh.. I certainly don't consider myself a researcher, or an
operator (any longer) for that matter (though I do have access
to a significant amount of both research and operational data
and tend not to call a duck a goose simply because I heard
a quack :-)
-danny
|