nanog mailing list archives

Re: Growing DoS attacks

From: Tom Sands <tsands () rackspace com>
Date: Thu, 17 Jan 2002 07:43:50 -0600



    The DDOS attacks we see are generally a mixture.  I couldn't care less about the
ICMP (which are frequent) since we already rate-limit that, and protect against Smurf
attacks as well.  UDP and SYN floods are harder to try and prevent or rate-limit with
our type of customer base.  The destination of our DDOS attacks vary greatly,
normally we don't see the IRC servers as the overwhelming majority.

    Spammers, shell hosts, our equipment, and even just normal web sties (that others
may not like) are all equal targets of DDOS attacks.  Granted there are always the
repeat offenders.

    Most of the details I have been able to see from DDOS attacks are just logs of
Source/Destination IP and packet type, not an actual packet capture to be able to
examine the packet.  I would be interested in knowing what article you read also.


Avleen Vig wrote:

On Wed, 16 Jan 2002, Paul Froutan wrote:

Hello all,
Can some of you with larger networks let me know about the volume of the
DoS attacks you have experienced lately?  Our experience has been that the
volume (not just occurrence) is going up significantly and I'm curious on
the size of attacks that people are experiencing.  For reference, while a
year or two ago we used to get 50-100 meg attacks, now we're getting 500+ megs.


I don't run a large network, but I am curious and will help where
possible.
Are you able to say what kind of DoD attacks are taking place?
ICMP Floods? TCP Floods? UDP Floods? A mixture?

If you feel the src addr is spoofed, have you taken a packet capture and
looked for similarities in the packets?
I read a paper about 5 months ago where someone had worked very hard at
analysing the differences in packets generated by various DoS agents.
Maybe you should attempt to trace them back?

If they are Smurf attacks, I may be able to help more, let me know.

--
Avleen Vig
Network Security Officer
Smurf Amplifier Finding Executive: http://www.ircnetops.org/smurf


--
Tom Sands
Chief Network Engineer
RackSpace Managed Hosting
tsands () rackspace com
(210)892-4000

Current thread:

Re: Growing DoS attacks, (continued)
- Re: Growing DoS attacks Barb Dijker (Jan 16)
  - Re: Growing DoS attacks Jared Mauch (Jan 16)
    - Re: Growing DoS attacks Vincent Gillet (Jan 17)
    - Message not available
    - Re: Growing DoS attacks Vincent Gillet (Jan 17)
    - Re: Growing DoS attacks Jared Mauch (Jan 17)
    - Re: Growing DoS attacks Joe Abley (Jan 17)
    - Re: Growing DoS attacks Vincent Gillet (Jan 17)
    - Re: Growing DoS attacks Joe Abley (Jan 17)
    - Re: Growing DoS attacks Barb Dijker (Jan 17)
- Re: Growing DoS attacks Avleen Vig (Jan 16)
  - Re: Growing DoS attacks Tom Sands (Jan 17)
- Re: Growing DoS attacks Pascal Gloor (Jan 16)
  - Re: Growing DoS attacks Paul Timmins (Jan 16)
    - Re: Growing DoS attacks Jared Mauch (Jan 16)
    - Re: Growing DoS attacks Avleen Vig (Jan 16)
  - Re: Growing DoS attacks Eric Whitehill (Jan 16)
- RE: Growing DoS attacks LeBlanc, Jason (Jan 16)