nanog mailing list archives
RE: The impending DDoS storm
From: Jason Frisvold <friz () corp ptd net>
Date: Wed, 13 Aug 2003 11:07:11 -0400
On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote:
More info: -Opens a raw socket and spoofs its source address
It *appears* to us through current testing that the source address spoofed is always within the class of the current subnet... So, a spoofing filter that denies all but the local subnet may only be partially affective..
-Randomizes its source port, but destination is always TCP/80 -Does one DNS lookup on "windowsupdate.com" and then uses the IP returned -The window size is always 16384 (this might be useful)
It also looks like there is no throttling at all.. it abuses as much bandwidth as it possibly can...
Regards, =============================== Daniel Ingevaldson Engineering Manager, X-Force R&D dsi () iss net 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net =============================== -----Original Message----- From: Jason Frisvold [mailto:friz () corp ptd net] Sent: Wednesday, August 13, 2003 10:50 AM To: Ingevaldson, Dan (ISS Atlanta) Cc: Stephen J. Wilcox; nanog () merit edu Subject: RE: The impending DDoS storm On Wed, 2003-08-13 at 10:14, Ingevaldson, Dan (ISS Atlanta) wrote:It might be somewhat tricky to block TCP/80 going to windowsupdate.com.I agree... but then, who needs updates anyways.. *grin*Regards, =============================== Daniel Ingevaldson Engineering Manager, X-Force R&D dsi () iss net 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net =============================== -----Original Message----- From: Stephen J. Wilcox [mailto:steve () telecomplete co uk] Sent: Wednesday, August 13, 2003 10:38 AM To: Jason Frisvold Cc: nanog () merit edu Subject: Re: The impending DDoS storm On Wed, 13 Aug 2003, Jason Frisvold wrote:All, What is everyone doing, if anything, to prevent the apparentupcomingDDoS attack against Microsoft? From what I've been reading, and what I've been told, August 16th is the apparent start date... We're looking for some solution to prevent wasting our network resources transporting this traffic, but at the same time trying to allow legitimate through... So, is anyone planning on doing anything?See previous discussion on filtering... Other than that experience says if these things turn out to be big enough to cause an issue then they quickly burn themselves out anyway Steve
-- --------------------------- Jason H. Frisvold Backbone Engineering Supervisor Penteledata Engineering friz () corp ptd net RedHat Engineer - RHCE # 807302349405893 Cisco Certified - CCNA # CSCO10151622 MySQL Core Certified - ID# 205982910 --------------------------- "Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world." -- Albert Einstein [1879-1955]
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- The impending DDoS storm Jason Frisvold (Aug 13)
- Re: The impending DDoS storm Stephen J. Wilcox (Aug 13)
- Re: The impending DDoS storm Randy Bush (Aug 13)
- <Possible follow-ups>
- RE: The impending DDoS storm Jason Frisvold (Aug 13)
- RE: The impending DDoS storm Jason Frisvold (Aug 13)
- Re: The impending DDoS storm Jack Bates (Aug 13)
- Re: The impending DDoS storm Lloyd Taylor (Aug 13)
- Re: The impending DDoS storm Jason Frisvold (Aug 13)
- Re: The impending DDoS storm Dan Hollis (Aug 13)
- Re: The impending DDoS storm Aaron Hopkins (Aug 13)
- Re: The impending DDoS storm Jeff Kell (Aug 14)
- Re: The impending DDoS storm Jack Bates (Aug 13)
- Re: The impending DDoS storm Jack Bates (Aug 13)
- Re: The impending DDoS storm Mark Vallar (Aug 13)