RE: The impending DDoS storm

[Jason Frisvold <friz () corp ptd net>]

On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote:
> More info:
>
> -Opens a raw socket and spoofs its source address

It *appears* to us through current testing that the source address
spoofed is always within the class of the current subnet...  So, a
spoofing filter that denies all but the local subnet may only be
partially affective..

> -Randomizes its source port, but destination is always TCP/80
> -Does one DNS lookup on "windowsupdate.com" and then uses the IP
> returned
> -The window size is always 16384 (this might be useful)

It also looks like there is no throttling at all.. it abuses as much
bandwidth as it possibly can...

> Regards,
> ===============================
> Daniel Ingevaldson
> Engineering Manager, X-Force R&D
> dsi () iss net 
> 404-236-3160
>  
> Internet Security Systems, Inc.
> The Power to Protect
> http://www.iss.net
> ===============================
>
>
> -----Original Message-----
> From: Jason Frisvold [mailto:friz () corp ptd net] 
> Sent: Wednesday, August 13, 2003 10:50 AM
> To: Ingevaldson, Dan (ISS Atlanta)
> Cc: Stephen J. Wilcox; nanog () merit edu
> Subject: RE: The impending DDoS storm
>
>
> On Wed, 2003-08-13 at 10:14, Ingevaldson, Dan (ISS Atlanta) wrote:
> > It might be somewhat tricky to block TCP/80 going to 
> > windowsupdate.com.
>
> I agree... but then, who needs updates anyways.. *grin*
>
> > Regards,
> > ===============================
> > Daniel Ingevaldson
> > Engineering Manager, X-Force R&D
> > dsi () iss net
> > 404-236-3160
> >  
> > Internet Security Systems, Inc.
> > The Power to Protect
> > http://www.iss.net
> > ===============================
> >
> >
> > -----Original Message-----
> > From: Stephen J. Wilcox [mailto:steve () telecomplete co uk]
> > Sent: Wednesday, August 13, 2003 10:38 AM
> > To: Jason Frisvold
> > Cc: nanog () merit edu
> > Subject: Re: The impending DDoS storm
> >
> >
> >
> >
> > On Wed, 13 Aug 2003, Jason Frisvold wrote:
> >
> > > All,
> > >
> > >   What is everyone doing, if anything, to prevent the apparent
> > upcoming
> > > DDoS attack against Microsoft?  From what I've been reading, and 
> > > what
> > > I've been told, August 16th is the apparent start date...
> > >
> > >   We're looking for some solution to prevent wasting our network
> > > resources transporting this traffic, but at the same time trying to 
> > > allow legitimate through...
> > >
> > >   So, is anyone planning on doing anything?
> >
> > See previous discussion on filtering...
> >
> >
> > Other than that experience says if these things turn out to be big 
> > enough to cause an issue then they quickly burn themselves out anyway
> >
> > Steve
-- 
---------------------------
Jason H. Frisvold
Backbone Engineering Supervisor
Penteledata Engineering
friz () corp ptd net
RedHat Engineer - RHCE # 807302349405893
Cisco Certified - CCNA # CSCO10151622
MySQL Core Certified - ID# 205982910
---------------------------
"Imagination is more important than knowledge.
Knowledge is limited. Imagination encircles
the world."
      -- Albert Einstein [1879-1955]

Attachment: signature.asc
Description: This is a digitally signed message part