nanog mailing list archives
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
From: Rob Thomas <robt () cymru com>
Date: Sat, 18 Jan 2003 15:21:42 -0600 (CST)
Hi, NANOGers. You just knew I couldn't stay out of this thread for long. ;) ] I'd note that UUNET also went through some pain to push CPE configs with ] 'good' passwds for telnet and enable, now there are tens (perhaps ] hundreds) of CPE routers with 'cisco' as the vty passwd... Don't During the year 2002 I added at least 17683 compromised Cisco routers to my hacked device database. One bot included a list of 2827 compromised Cisco routers for use as bounces. Most of these are CPE routers, not ISP-managed routers. All of them had cisco/cisco as the login and password. This isn't limited to Cisco routers, however. I collected an impressive list of broadband and other vendor routers as well, for a total of just over 30K compromised routers in 2002. As Chris points out, this is an issue that requires vigilance beyond teams at ISPs. ] addresses... Rob Thomas has some good data on attacks against IRC ] servers and other hosts on the internet, his data last I recall was ] something like 80% of attacks use spoofed addresses, though more and more In 2002 I logged several thousand DDoS attacks. Approximately 70% used bogon source addresses or spoofing, but that trend was changing by the end of the year. In 2003 I have logged approximately 267 DDoS attacks, NONE of which used spoofing. Does anti-spoofing help? Absolutely! Is it a cure-all? No. The combination of very large (circa 94K) botnets and DoSnets and the failure of many providers to respond to abuse alerts means that the miscreants don't generally need to spoof. A study I performed of an often-attacked site showed that a bit over 60% of all the naughty packets were from _obvious_ bogon addresses. The total amount of spoofing is difficult to deduce. You can view the data included in a presentation here: http://www.cymru.com/Presentations/60Days.ppt http://www.cymru.com/Presentations/60Days.zip Blocking spoofing and bogons (remember, uRPF works best if the RIB is free from garbage) is worth the time. Building a strong and motivated security team is even more valuable. :) ] For those that wonder 'how would you track that? It's spoofed!' please ] visit: http://www.secsup.org and read the provided links... its simple, This is an excellent resource, and I encourage everyone to review it. Tracking spoofed-source attacks is far easier than you may believe. I have a lesser and rather lame method here: http://www.cymru.com/Documents/tracking-spoofed.html The method from UUNET is far superior. :) The point is that spoofed source packets can be tracked. All that aside, the method and ease of tracking makes no difference if the source of pain is unwilling or unable to respond. I'm certain everyone now realizes that Internet security is all about "The Other Guy." Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
Current thread:
- Re: Is there a line of defense against Distributed Reflective attacks?, (continued)
- Re: Is there a line of defense against Distributed Reflective attacks? Kurt Erik Lindqvist (Jan 17)
- FW: Re: Is there a line of defense against Distributed Reflective attacks? Stewart, William C (Bill), RTLSL (Jan 17)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 17)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? todd glassey (Jan 19)
- Message not available
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Daniel Senie (Jan 18)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? John Kristoff (Jan 18)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Chris Adams (Jan 18)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? hc (Jan 18)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? John Kristoff (Jan 19)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 17)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 18)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Rob Thomas (Jan 18)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Avleen Vig (Jan 18)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 18)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Avleen Vig (Jan 19)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Johannes Ullrich (Jan 19)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Rob Thomas (Jan 19)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 20)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Avleen Vig (Jan 20)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Jeff Workman (Jan 20)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 20)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Scott Granados (Jan 20)