Re: Under DDoS attack; what do I do now?

[Joe Shaw <jshaw () insync net>]

On Wed, 30 Aug 2000, Chris Adams wrote:

> We appear to be under a distributed denial of service attack.  We are
> receiving 7.5+ megabits per second of ICMP traffic (it looks like a
> smurf attack) from all over to a single address (one that was in our
> dialup pool).  We've taken the IP out of our pool and are routing it to
> a separate interface with a computer just setup to capture traffic.
>
> It isn't causing an immediate problem, since we've routed the traffic
> away, but what do we do next?  We've been contacted by a couple of the
> people sending the ICMP replies complaining about us pinging them and
> told them about fixing distributed broadcast and they've said they'll
> look into it.

Lovely.  Generally people who pay close attention to things like that have
already got their smurf filters enabled.  At least they noticed it though.

> What do we do to track this down?  We've got four upstreams and the
> traffic appears to be coming in all four; do we need to call all of
> them?  Is there any kind of organization that can help coordinate this?

Call CERT.  1.888.222.0700.  Hopefully they'll not be too busy sitting on
their hands to help.  Also, call back the people being used as amplifiers
and see if they can have their providers start tracing the path of the
forged packets back to the originator.  

> Thanks for any help you can give.

__
Joseph W. Shaw - jshaw () insync net