nanog mailing list archives
Re: DDoS attacks, spoofed source addresses and adjusted TTLs
From: Mike Tancsa <mike () sentex net>
Date: Wed, 03 Aug 2005 17:13:22 -0400
At 04:55 PM 03/08/2005, Christopher L. Morrow wrote:
> hops away, the TTL of the packet when it got to me was 56). Yes, I know > those could be adjusted in theory to mask multiple sources, but in practice > has anyone seen that ? what exactly was the question?
You answered it mostly-- what do people see in the real world-- plain jane unadulterated packets, or spoofed / manipulated ones. Of all the attacks I have suffered through, they all seemed to be from legit IP addresses save one and that was some time ago. However, except for 2 people in about 4 years, I have never gotten a response from various NOC/Abuse desks as to whether or not the attacking IPs I identified were in fact part of the attack or were spoofed.
However, in the cases where I had customer PCs participating in attacks, there seems to be a higher percentage of random source addresses (which get dropped before they leave my network). Have that many networks implemented RPF as to make spoofed addresses moot ?
---Mike
Current thread:
- DDoS attacks, spoofed source addresses and adjusted TTLs Mike Tancsa (Aug 03)
- Re: DDoS attacks, spoofed source addresses and adjusted TTLs Christopher L. Morrow (Aug 03)
- Re: DDoS attacks, spoofed source addresses and adjusted TTLs Mike Tancsa (Aug 03)
- Re: DDoS attacks, spoofed source addresses and adjusted TTLs Christopher L. Morrow (Aug 03)
- Re: DDoS attacks, spoofed source addresses and adjusted TTLs Mike Tancsa (Aug 03)
- Re: DDoS attacks, spoofed source addresses and adjusted TTLs Christopher L. Morrow (Aug 03)