North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DDoS attacks, spoofed source addresses and adjusted TTLs
On Wed, 3 Aug 2005, Mike Tancsa wrote: > > > I had a DDoS this morning (~ 130Mb) against one of my hosts. Packets were > coming in all 3 of my transit links from a handful of source IP addresses > that sort of make sense in terms of the path they would take to get to > me. They were all large UDP packets of the form in reality almost no udp floods are spoofed, save dns-smurf attacks... so you probably saw legit hosts sending bad packets. > The TTLs all kind of make sense and are consistent (e.g. if the host is 8 > hops away, the TTL of the packet when it got to me was 56). Yes, I know > those could be adjusted in theory to mask multiple sources, but in practice > has anyone seen that ? I seem to recall reading the majority of DDoS > attacks do not come from spoofed source IP addresses. depends on the protocol, attacker and tools at their disposal most likely. I can say we see more non-spoofed than spoofed these days. (go botland go!) what exactly was the question?
|