nanog mailing list archives
Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T
From: Danny McPherson <danny () tcb net>
Date: Wed, 2 Jun 2004 13:01:13 -0600
On Jun 2, 2004, at 12:36 PM, Richard A Steenbergen wrote:
If it walks like a duck, and it sounds like a duck, it is probably a duck.RFC1918 sourced space, most likely from misconfigured NATs and such,account for only a very small amount of the bogon-source packets which gosplat.
But worms, OTOH, seems to be much more persistent.
Most of the DoS attempts by volume don't fall into the category of questionable. When you see a 100Mbps stream (from a single ingressinterface, with consistant TTL's) of IP proto 0 or 255, or tcp port 0, or classic SYN flooders (SYN w/no MSS) or stream (randomized seq# and fixed ack# on a packet w/TH_ACK flag only) targetting a specific IP/port with a source address of iph.ip_src.s_addr = random(), it is pretty easy to tellthose apart from the usual background noise of a worm.
Sure..
Some days it helps to actually have an operational network, instead ofbeing a researcher. Even without interesting tools it isn't terribly hardto look at your PNI graphs, match up the hundreds-of-meg spikes withspecific DoS incidents, and go from there. Not to point fingers at anyonein particular, but it seems to be the same foreign networks who tend to have little control over their spammers.
Heh.. I certainly don't consider myself a researcher, or an operator (any longer) for that matter (though I do have access to a significant amount of both research and operational data and tend not to call a duck a goose simply because I heard a quack :-) -danny
Current thread:
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T, (continued)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Jeff Aitken (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Erik Haagsman (Jun 03)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Christopher L. Morrow (Jun 03)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Jeff Aitken (Jun 03)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Erik Haagsman (Jun 04)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Erik Haagsman (Jun 04)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Richard A Steenbergen (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Danny McPherson (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Richard A Steenbergen (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Danny McPherson (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Scott Weeks (Jun 03)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Petri Helenius (Jun 03)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Scott Weeks (Jun 03)