nanog mailing list archives
Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack
From: Tom Beecher <beecher () beecher cc>
Date: Thu, 22 Dec 2016 11:56:34 -0500
Jean sent me details. I won't share the link or password to it based on his request, but he hasn't found anything new, and it's not even amplification at all. What he did was send 1500 byte ICMP packets with a max TTL at an IP address that is not reachable due to a routing loop. No amplification is occurring ; it's just the same packets hanging around longer looking for free food because of the TTL. I think he _assumed_ amplification was happening because link utilization between his lab routers doing the looping was increasing. Totally expected when you're using --flood and in a lab environment where the TTL entering the loop is still above 250. :) On Thu, Dec 22, 2016 at 11:48 AM, William Herrin <bill () herrin us> wrote:
On Thu, Dec 22, 2016 at 11:04 AM, Ken Chase <math () sizone org> wrote:Maybe he's found what's already known and posted 2 months ago (and every2 months?)on nanog, the TCP 98,000x amplifier (which is a little higher than100x), amongdozens of misbehaving devices, all >200x amp. https://www.usenix.org/system/files/conference/woot14/woot14-kuhrer.pdfHi Ken, He said, "There is no need for spoofing " so it wouldn't be that one. Jean, Respectfully: you're not well known to us as having identified earth shattering vulnerabilities in the past. We hear about utterly unimportant "priority one" events every single day, so without enough information to assess whether you're looking at is something new, important or even possible within our various architectures, few of us will be inclined to take you seriously. We're all too familiar with the consequence of giving credence to people who say "believe me" instead of offering verifiable fact. I respect that you're trying to help, but "I have something important to tell you, please contact me off list" is not the way to do that. And if it turns out we should have listened and kept this secret as long as possible, well, that's on us. ;) Regards, Bill Herrin -- William Herrin ................ herrin () dirtside com bill () herrin us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
Current thread:
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack, (continued)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack Edward Dore (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack Alexander Lyamin (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack j.j.santanna (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack Jean | ddostest.me via NANOG (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack Tom Beecher (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack Jean | ddostest.me via NANOG (Dec 22)
- Re: [Tier1 ISP] : Vulnerable to a new DDoS amplification attack Roland Dobbins (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack Tom Beecher (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack Ken Chase (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack William Herrin (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack Tom Beecher (Dec 22)
- Re: [Tier1 ISP] : Vulnerable to a new DDoS amplification attack Roland Dobbins (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack Alexander Lyamin (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack Edward Dore (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack Alexander Lyamin (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack j.j.santanna (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack Mike Hammett (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack Alexander Lyamin (Dec 22)
- Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack Mike Hammett (Dec 22)