Re: Growing DoS attacks

["Michael Painter" <tvhawaii () shaka com>]

Has anyone tried running something like this?

http://www.hackbusters.net/LaBrea/


----- Original Message ----- 
From: "Clayton Fiske" <clay () bloomcounty org>
To: "Jared Mauch" <jared () puck Nether net>
Cc: "Paul Froutan" <pfroutan () rackspace com>; <nanog () merit edu>
Sent: Wednesday, January 16, 2002 12:23 PM
Subject: Re: Growing DoS attacks


> On Wed, Jan 16, 2002 at 01:18:14PM -0500, Jared Mauch wrote:
> > are you seeting these attacks be related to the lack of
> > anti spoofing filters?  where do they tend to be originating these
> > days?
> >
> > i suspect that 1) smurf amps that are still not fixed, 2)
> > high speed connectivity at homes (cable, .. some dsl still,) are allowing
> > people to send spoofed packets at higher rates.
> >
> > that combined and the number of windows based servers that
> > have been exploited (nimda, etc..) and those can be used also to send
> > spoofed packets at higher rates.
>
> Our network is pretty much entirely end users. At the moment, we're
> seeing a non-spoofed DDoS attack that's been ongoing for several days.
> I've been trying to track and block, but the problem is that it seems
> to be many different users with infected machines and only one or two
> at a time are actually sending packets (SYNs at that, so not so easy
> to blanket filter even in the short-term) at any given time. I watched
> it for several hours and I would see one user send 10-50k packets then
> stop, then the next user, etc. In the whole time I was watching I never
> saw the same IP twice. I thought it could be spoofing, but as I ran
> pings on whichever source IP I saw I got no response, then when they
> stopped attacking I would start to get ping responses. I'm still at it,
> but as I approached 100 unique sources I realized there's probably not
> a lot of hope of effectively blocking it. I could filter the destination
> for that entire pop, but:
>
> a) I can almost guarantee I would be "administratively prohibited" from
>    doing so, given the popularity of the site in question.
>
> b) It's a major website with gobs of bandwidth, which thus far seems
>    entirely unaffected by the attack. I am contacting them to verify
>    this, but every time I've checked the page comes up instantly and
>    there's no latency to speak of in traceroutes.
>
> c) The amount of time the filter would have to stay in place is
>    unknown (so same reason as a) basically) because of the amount
>    of administrative hassle to track down every user and not only
>    block them but also get them to fix it (which, without having any
>    real idea what agent they're running, will be difficult in itself).
>
> We are still working at this, but I'm wondering whether any other DSL
> or cable providers out there are seeing similar.
>
> -c