Security Basics mailing list archives
RE: Why bandwidth consuming ddos attack using only udp or icmp?
From: "Ajay Tikoo" <ajay () printwire org>
Date: Fri, 29 Feb 2008 12:25:14 -0500
I agree with what David has written. I just want to point out that instead of filtering all udp at the border router, why would you not filter all "unwanted" udp packet (based on source and destination port). For example, in order to allow DNS pass through, you would accept udp traffic with source or destination port of 53. Ajay Tikoo -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of David Gillett Sent: Friday, February 29, 2008 11:51 AM To: 'MontyRee'; Subject: RE: Why bandwidth consuming ddos attack using only udp or icmp?
So, some network administrator said that he filtered all udp and icmp just against the bandwidth consuming ddos attack at the border router. (Surely some problems would be happen..dns..somethinf like that)
Presumably he made an exception for DNS, and perhaps NTP. Note that the bandwidth bottleneck is typically outside the border router, so filters on that router only apply after the bandwidth has been consumed....
Is it impossible or ineffective using tcp for bandwidth consuming attack in the point of attacker? anyone who saw the bandwidth consuming attack using tcp?
It's not impossible, but it's extra work, and reveals the attacker's IP address to anyone who detects the attack. (Or at least one or more addresses under the attacker's control.) In your case, the TCP portion of the attack is probably trying to exhaust half-open connection entries (SYN flood) rather than bandwidth. He can use spoofed source addresses for that. David Gillett
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of MontyRee Sent: Thursday, February 28, 2008 6:52 PM To: security-basics () securityfocus com Subject: Why bandwidth consuming ddos attack using only udp or icmp? Hello, list. I have operated network in my company and recently I have experienced some ddos attack(inbound) on my network. It seems that the ddos attack was divided in two first, the bandwidth consuming attack was all consist of udp or icmp using big size packet(about 1500 byte). second tcp based attack for example http(80/tcp) is mostly creates lots of pps using small size packet(about 40 byte ) So, some network administrator said that he filtered all udp and icmp just against the bandwidth consuming ddos attack at the border router. (Surely some problems would be happen..dns..somethinf like that) and I have one question. Is it impossible or ineffective using tcp for bandwidth consuming attack in the point of attacker? anyone who saw the bandwidth consuming attack using tcp? Thanks in advance. _________________________________________________________________ 확 달라진 MSN 홈페이지, 지금 바로 만나보세요! http://www.msn.co.kr
Current thread:
- Why bandwidth consuming ddos attack using only udp or icmp? MontyRee (Feb 29)
- RE: Why bandwidth consuming ddos attack using only udp or icmp? David Gillett (Feb 29)
- <Possible follow-ups>
- Re: Why bandwidth consuming ddos attack using only udp or icmp? razigarbie (Feb 29)
- RE: Why bandwidth consuming ddos attack using only udp or icmp? Ajay Tikoo (Feb 29)