nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)

From: Avleen Vig <lists-nanog () silverwraith com>
Date: Sun, 7 Mar 2004 14:05:08 -0800

On Sun, Mar 07, 2004 at 08:28:53PM +0000, Christopher L. Morrow wrote:

Without any data to back this up, I'm estimating based on the attacks
I've dealt with.
I don't believe the number have gone down at all. If it has, it's done
that for someone else, not me,


Is this attacks on 'known magnets' or 'random stuff'. From what I've seen
the frequency of attacks on 'all customers' seems to be slowing SOME.
There are the normal nuisance points which attract attacks for whichever
reason. So, Avleen, can you seperate the 'known magnets' from 'random
stuff' and say which direction the trend is moving?


If we class "popular websites", "servers / networks at major ISPs", "IRC
servers" and "the latest popular thing" as magnets, and "small business
sites", "personal pages" etc as the random stuff, then I don't believe
attacks on magnets have gone down at all.
On the random stuff I cannot comment, as I've had surprisingly little
dealing with that.


As to the 'strength' of attacks. It seems that bandwidth and pps rates
have incresed over time. This COULD BE because you can own up 10,000 xp
machines in a heartbeat, or it could be a reflection of
bigger/better/faster single hosts being taken over. It's hard to tell from
my end of the party :(


I don't think it would be unfair to assume it is both. Again that stands
to simple logic. More hosts on the internet = more potential drones.
More availible global bandwidth = larger volume output from each drone.


I don't have any evidence. Nor do I *believe* the number of attacks is
decreasing. If anything, its staying the same or going up, as more
people decide it's fun to take networks offline through the greater and
greater number of compromised hosts.


The greater number of compromisable hosts seems to be the constant in this
arguement. So, like we've said for several years, until the end station is
secured 'better' the consistency and strength of attacks will continue
that upward trend.


Indeed. I believe the ISP of the end user is the party responsible here.
If the ISP is allowing access through their network, they need to be
responsible for the data leaving their networl which originates in their
network.
Previous By Date Next
Previous By Thread Next

Current thread: