nanog mailing list archives

Re: DDOS anecdotes

From: "Michael Painter" <tvhawaii () shaka com>
Date: Sat, 23 Jun 2001 11:18:28 -1000


Daniel

Obviously, a general spoofing tool for Win95 could be written.

After reading that part of the tirade, I came to the same conclusion as a
previous poster... lots of FUD, and not much more.<<

I'm having a hard time understanding this.  Wouldn't it be easier/simpler for
these crackers to just install their bots on, oh say, 20 million machines running
XP than the crackers having to deal with installing the bot -and- the code to do
the spoofing on Win95/98/98SE/98ME?

Michael Painter


----- Original Message -----
From: "Daniel Senie" <dts () senie com>
To: "Tim Wilde" <twilde () dyndns org>
Cc: <nanog () merit edu>
Sent: Saturday, June 23, 2001 9:13 AM
Subject: RE: DDOS anecdotes


At 02:37 PM 6/23/01, Tim Wilde wrote:

This is a real problem. It's not FUD. Microsofts choice to include full
IP stack capabilities will make the problem worse, but I do not blame
their IP stack for this like Mr Gibson does though.


Oh, it's most certainly a real problem, but I don't agree that the changes
in Win XP will really make any difference whatsoever.  With some very
trivial driver additions, raw sockets can be accessed under any previous
version of Windows, just like in XP.



Indeed, there have been LAN analyzers which run on all variants of Windows
for a very long time. These can generate / play back traffic, using
whatever source IP addresses and MAC addresses were on the original
packets. Obviously, a general spoofing tool for Win95 could be written.
After reading that part of the tirade, I came to the same conclusion as a
previous poster... lots of FUD, and not much more.

It's been 5 years since the document now published as RFC 2827 was first a
draft. Many sites do ingress or egress filtering. Many don't. Most router
equipment can now handle it, according to the manufacturers. Yes, there are
issues dealing with multi-homing. However, it appears many attacks still
originate from single homed sites, dialup sites, cable modem attached
systems, and the like. In most cases, these could be filtered. Has anyone
at any of the cable modem vendors made any attempts to try ingress
filtering in the cable system head-end routers? Did it work? Need help
trying it out? While Ingress filtering will not cure the world, it can help
de-fang many attacks. Unfortunately, it requires cooperation to be effective.

-----------------------------------------------------------------
Daniel Senie                                        dts () senie com
Amaranth Networks Inc.                    http://www.amaranth.com

Current thread:

Re: peering requirements (Re: DDOS anecdotes), (continued)
- - - Re: peering requirements (Re: DDOS anecdotes) Randy Bush (Jun 26)
    - Re: peering requirements (Re: DDOS anecdotes) Paul A Vixie (Jun 26)
    - Re: peering requirements (Re: DDOS anecdotes) Randy Bush (Jun 26)
    - Re: peering requirements (Re: DDOS anecdotes) Paul A Vixie (Jun 26)
    - Re: peering requirements (Re: DDOS anecdotes) Randy Bush (Jun 26)
    - Re: peering requirements (Re: DDOS anecdotes) Paul A Vixie (Jun 26)
    - Re: peering requirements (Re: DDOS anecdotes) Randy Bush (Jun 26)
    - Re: peering requirements (Re: DDOS anecdotes) Hank Nussbacher (Jun 27)
    - Message not available
    - RE: DDOS anecdotes Daniel Senie (Jun 23)
    - RE: DDOS anecdotes Greg A. Woods (Jun 23)
    - Re: DDOS anecdotes Michael Painter (Jun 23)
    - Re: DDOS anecdotes Paul Vixie (Jun 23)
    - Re: DDOS anecdotes Roland Dobbins (Jun 23)
    - Re: DDOS anecdotes Jonas Luster (Jun 23)
    - RE: DDOS anecdotes Jason Lewis (Jun 23)
    - RE: DDOS anecdotes mike harrison (Jun 24)
    - Re: DDOS anecdotes David Howe (Jun 24)
    - Re: DDOS anecdotes Michael Painter (Jun 23)
    - Exodus Down mike harrison (Jun 23)
    - Re: Exodus Down Andy Bradford (Jun 23)
    - RE: Exodus Down Matt Levine (Jun 23)

(Thread continues...)