nanog mailing list archives
Re: The impending DDoS storm
From: Aaron Hopkins <lists () die net>
Date: Wed, 13 Aug 2003 13:46:38 -0700 (PDT)
has anyone tried tarpitting eg labrea to slow the worm?
I have been using my Linux kernel module ipt_TARPIT (included in the latest netfilter.org patch-o-matic release) to do this for any IPs on my network lacking a route, including outbound from my customers and inbound to my unused address space. While it is trying to scan routeless IPs, the tarpit slows it down to scanning 20 IPs per ~9 minutes. (MSBlast has 20 connection slots, each apparently timing out after ~9 minutes.) It normally appears to have a several second connect timeout, so this slows it down by two orders of magnitude with a similar drop in network traffic. -- Aaron
Current thread:
- The impending DDoS storm Jason Frisvold (Aug 13)
- Re: The impending DDoS storm Stephen J. Wilcox (Aug 13)
- Re: The impending DDoS storm Randy Bush (Aug 13)
- <Possible follow-ups>
- RE: The impending DDoS storm Jason Frisvold (Aug 13)
- RE: The impending DDoS storm Jason Frisvold (Aug 13)
- Re: The impending DDoS storm Jack Bates (Aug 13)
- Re: The impending DDoS storm Lloyd Taylor (Aug 13)
- Re: The impending DDoS storm Jason Frisvold (Aug 13)
- Re: The impending DDoS storm Dan Hollis (Aug 13)
- Re: The impending DDoS storm Aaron Hopkins (Aug 13)
- Re: The impending DDoS storm Jeff Kell (Aug 14)
- Re: The impending DDoS storm Jack Bates (Aug 13)
- Re: The impending DDoS storm Jack Bates (Aug 13)
- Re: The impending DDoS storm Mark Vallar (Aug 13)
- RE: The impending DDoS storm Christopher Chin (Aug 14)
- RE: The impending DDoS storm Kevin Houle (Aug 14)
- Re: The impending DDoS storm Michael Painter (Aug 14)
- RE: The impending DDoS storm Darren Richer (Aug 14)