nanog mailing list archives
RE: dsl providers that will route /24
From: Jason Slagle <raistlin () tacorp net>
Date: Thu, 29 Mar 2001 21:10:34 -0500 (EST)
-- Jason Slagle - CCNP - CCDA Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin () tacorp net - jslagle () toledolink com - WHOIS JS10172 /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . If dreams are like movies then memories X - NO HTML/RTF in e-mail . are films about ghosts.. / \ - NO Word docs in e-mail . - Adam Duritz - Counting Crows On Thu, 29 Mar 2001, David Schwartz wrote:
They could do almost exactly the same amount of damage with an unspoofed
UDP flood and it would still take a human action to stop it. The attack can
still hop from victim to victim until the problem is stopped at its source.
The problem still won't get stopped at its source until someone with the
ability to stop it is summoned and alterted to the problem.
Odds are, an attacker will used spoofed packets if he can. potentially
spoofed packets will trigger an investigation on my network. An unspoofed
UDP flood probably won't (especially if it hops from victim to victim).
So if the attacker uses spoofed packets, he may get cut off at the source
(and the problem actually solved) sooner. On the other hand, unspoofed
packets will probably trigger a call to the administration of the source
network faster. Of course, you don't know that attack is unspoofed, so you
really can't be sure what the source is.
I can argue the converse of this. Unless the attacker is spoofing a static source, I can usually spot a potentially unspoofed attack. Even if he IS using a static spoofed source, it only costs me a little bit to call and see if the packets are indeed coming from the machine in question. If I'm being attacked hard, chances are, I will notice it before you examine your logs, unless like I said you have someone monitoring then 24 hours a day. I will then try to wake up a live body on your end to investigate. If the packets are spoofed, I have to wait for you to examine your logs to potentially stop it, or attempt to get an upstream to do a traceback, which is a long drawn out process. Personally, I prefer to leave the ability to determine the likely source of a non random attack in my hands, not waiting for you to view your logs. And nothing says I CAN'T log if I deny spoofed packets, therefor catching them when they try spoofed packets before realizing they won't work. Jason
Current thread:
- RE: dsl providers that will route /24, (continued)
- RE: dsl providers that will route /24 Greg A. Woods (Mar 29)
- RE: dsl providers that will route /24 David Schwartz (Mar 30)
- Re: dsl providers that will route /24 Adrian Chadd (Mar 30)
- RE: dsl providers that will route /24 John Fraizer (Mar 30)
- RE: dsl providers that will route /24 David Schwartz (Mar 30)
- RE: dsl providers that will route /24 John Fraizer (Mar 30)
- RE: dsl providers that will route /24 David Schwartz (Mar 30)
- RE: dsl providers that will route /24 John Fraizer (Mar 30)
- RE: dsl providers that will route /24 David Schwartz (Mar 30)
- RE: dsl providers that will route /24 John Fraizer (Mar 30)
- RE: dsl providers that will route /24 Jason Slagle (Mar 29)
- RE: dsl providers that will route /24 John Fraizer (Mar 30)
- RE: dsl providers that will route /24 David Schwartz (Mar 30)
- RE: dsl providers that will route /24 John Fraizer (Mar 30)
- RE: dsl providers that will route /24 David Schwartz (Mar 30)