Re: Access Lists

[Dan Boehlke <dboehlke () mr net>]

By looking at netflow stats or ip accounting I can usually find the host
being attacked by sorting the list by destination.  The source will point
to hosts on a net being used as a smurf packet replicator, giving a hint
who might need to be contacted to shut off directed broadcasts.  Netflow
stats even show it as being ICMP ECHO traffic if you look at the numeric
codes in the flow export.  Once you know who is being attacked, you can
call your upstream providers or peers and have it traced, but if you want
the traffic stopped and the attack is flooding your pipe, about all you
can do it stop the traffic from getting to you, so if you are BGP peering
with your neighbors, withdraw the network annoucement for the victim and
the rest of your customers can continue to get their trafic.  This doesn't
help trace in, although give how older cisco IOS code reacts to tossing
out unroutable packets, the intermediate hosts may find they have a
problem when their router CPU use hits 100%.

I too would rather have a good quick way to nail the people initiating
this sort of attack.  However I have also found that my customers who are
victims are seldom random and are usually doing something to attract the
attack, like running IRC bots or running a sendmail capable of being a
SPAM relay.  However I don't approve of vigilantism.  This stuff can be 
taken care of in other ways.

On Thu, 26 Mar 1998, Phil Howard wrote:

> > You could just withdraw your BGP announcement for the net being attacked 
> > and suddenly the attack packets will die at the first router without a 
> > default route on their way to the victim.
>
> ...along with everything else.  Do you have some way of determining which
> router that is?
>
> -- 
> Phil Howard | stop6729 () s5p0a6m6 org w2x8y9z0 () lame1ads net eat15me7 () no6place net
>   phil      | no12ads7 () nowhere0 com die6spam () nowhere3 edu no70ads3 () dumb1ads com
>     at      | eat06me3 () no20ads1 edu crash719 () no6where com stop4909 () anywhere net
>   milepost  | no12ads2 () anywhere org stop2ads () spam7mer net no0spam0 () no0where edu
>     dot     | blow0me5 () spam5mer org end6ads8 () lame4ads org no3way57 () no4where org
>   com       | stop7211 () no8where net suck8it5 () dumbads3 net eat69me1 () no16ads1 edu

--
Dan Boehlke, Senior Network Engineer                          M R N e t
Internet:  dboehlke () mr net                       A MEANS Telcom Company
Phone:  612-362-5814                  2829 SE University Ave. Suite 200
WWW: http://www.mr.net/~dboehlke/                Minneapolis, MN  55414