North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

[Fwd: Re: DNS DDoS [was: register.com down sev0?]]

  • From: virendra rode //
  • Date: Thu Oct 26 18:25:19 2006

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We ran into similar attacks (couple days back) coming from non-spoofed
address range (being initiated from valid prefixes).

In working (w/ a co-worker of mine) on a network attack situation (trace
process) for a 30,000 user location (serving 60 other school districts)
running BCP38 & rate-limit which got ddos'd w/ about 8mpps.
It appears that these attacks were coming from the inside which not only
saturated devices along its way but also got amplified into several
other networks also causing significant flaps to its peered connection
(OC-xx).
Besides being distracted with this incredible among of traffic flow our
goal number one goal was to prevent this bleeding, thanks to the
distributed monitoring sensors (maybe we got lucky) we were able to
identify and sink-hole (null route) certain blocks (vlans) while we
worked with the network/desktop team to isolate the infected machines.
This was certainly a hair-pulling experience.

The point that I'm trying to make here is, you can have data coming from
a herd of comprised hosts (bots, self-propagating worms,
spam-relays,fake http get request, backdoors, etc) that can attack
against a well-protected system(s) so any kind of defense mechanism
can/will get defeated.

Then again, it doesn't mean one wouldn't want to follow well practiced
prevention methods.

Just curious, any ddos vendors want to share their success stories :-)



regards,
/virendra


- -------- Original Message --------
Subject: Re: DNS DDoS [was: register.com down sev0?]
Date: Thu, 26 Oct 2006 17:32:56 +0000
From: [email protected]
Reply-To: [email protected]
To: Robert Boyle <[email protected]>, [email protected],	Patrick
W. Gilmore <[email protected]>, Nanog <[email protected]>
References:
<[email protected]><[email protected]>
<[email protected]>

The network hardware vendors do need to include the feature to support
BCP-38.  It'll help us out on a number of fronts especially with some of
the recent cyber attacks.

We're in process of reaching out to many of the companies and many
providers to encourage the implementation of BCP-38.  We've gotten a lot
of great feedback from many of you and its greatly appreciated.  You
know who you are :)
Especially some of the feedback related to the hardware OS issues.

- -Jerry
[email protected] or [email protected]

Sent via BlackBerry from Cingular Wireless

- -----Original Message-----
From: Robert Boyle <[email protected]>
Date: Thu, 26 Oct 2006 12:04:03
To:"Patrick W. Gilmore" <[email protected]>, [email protected]
Subject: Re: DNS DDoS [was: register.com down sev0?]


At 11:21 AM 10/26/2006, you wrote:
Unfortunately, as Jared has pointed out, the equipment vendors have
>to help the operators support this.  So let's all call your favorite
>router vendor and ask them when they will have the "ip bcp38" config
>option. :)

Even better would be the option: "no ip bcp38"

Make it so a conscious action is needed to disable it, but PLEASE put
that in the release notes so when the config doesn't "change" we know
that something really did change... :)

R



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFQS8zpbZvCIJx1bcRAn93AKCSF2JcGTbB/bX/NcxxWdOwBXRDagCbBkY4
OBRqFdIvWojOwTK+K6Mlp2U=
=LumS
-----END PGP SIGNATURE-----