nanog mailing list archives
Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T
From: Danny McPherson <danny () tcb net>
Date: Wed, 2 Jun 2004 11:39:39 -0600
On Jun 2, 2004, at 10:56 AM, Richard A Steenbergen wrote:
What people may being seeing is that poorly randomized source attacks are being automatically filtered by uRPF loose or other means before they ever reach the target. I keep track of my network border filter counters, andbelieve me spoofed attacks are not going out of style,
How do you discriminate *DDOS attacks employing source address spoofing* from broken NATs, rampant worms, PMTU and other related misconfigurationresulting in backscatter and similar garbage - with filter counters? Given, tactically deployed filters in order to mitigate a specific attack to a particular
destination would likely glean some value WRT the validity of the sourcedistribution for a given attack, but not generally deployed filters for any
destination.And exactly what represents "spoofed" by your definition? Note again that I explicitly called out **DDOS attacks employing source address spoofing**,
which is non-inclusive of spoofing in general employed by worms and thelike, or common misconfigurations and brokenness that results in the slew
of random garbage floating about.
especially from foreign and certain smaller networks.
I'd be extremely interested in any empirical evidence you have to support this, and in better understanding exactly how you determined "foreign and certain smaller networks" were indeed the source of many of these spoofed
packets.
As a customer of someone who does this kind of filtering and maintainssufficient border capacity, you may never see the gigabits of src bogons, protocol 0 or 255, port 0, 40 byte syns w/no MSS option, etc, and assume that these attacks are out of style because the only ones that get throughare the WinXP MSS+SACK unforged drone SYNs.
I agree, if it's filtered before someone observes it, it won't be observed :-)However, distinguishing between coordinated DDOS attacks that employ source address spoofing and "run of the mill" spoofing (by worms and the like) or
simple misconfiguration of some sort resulting in "backscatter" is key. -danny
Current thread:
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T, (continued)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Hank Nussbacher (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Erik Haagsman (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Jeff Aitken (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Erik Haagsman (Jun 03)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Christopher L. Morrow (Jun 03)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Jeff Aitken (Jun 03)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Erik Haagsman (Jun 04)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Erik Haagsman (Jun 04)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Richard A Steenbergen (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Danny McPherson (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Richard A Steenbergen (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Danny McPherson (Jun 02)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Scott Weeks (Jun 03)
- Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T Petri Helenius (Jun 03)