Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T

[Danny McPherson <danny () tcb net>]

On Jun 2, 2004, at 12:36 PM, Richard A Steenbergen wrote:
> If it walks like a duck, and it sounds like a duck, it is probably a 
> duck.
> RFC1918 sourced space, most likely from misconfigured NATs and such,
> account for only a very small amount of the bogon-source packets which 
> go
> splat.

But worms, OTOH, seems to be much more persistent.

> Most of the DoS attempts by volume don't fall into the category of
> questionable. When you see a 100Mbps stream (from a single ingress
> interface, with consistant TTL's) of IP proto 0 or 255, or tcp port 0, 
> or
> classic SYN flooders (SYN w/no MSS) or stream (randomized seq# and 
> fixed
> ack# on a packet w/TH_ACK flag only) targetting a specific IP/port 
> with a
> source address of iph.ip_src.s_addr = random(), it is pretty easy to 
> tell
> those apart from the usual background noise of a worm.

Sure..

> Some days it helps to actually have an operational network, instead of
> being a researcher. Even without interesting tools it isn't terribly 
> hard
> to look at your PNI graphs, match up the hundreds-of-meg spikes with
> specific DoS incidents, and go from there. Not to point fingers at 
> anyone
> in particular, but it seems to be the same foreign networks who tend to
> have little control over their spammers.

Heh..  I certainly don't consider myself a researcher, or an
operator (any longer) for that matter (though I do have access
to a significant amount of both research and operational data
and tend not to call a duck a goose simply because I heard
a quack :-)

-danny