Home page logo
/

nanog logo nanog mailing list archives

Re: NSPs and filters
From: Adrian J Bool <aid () u-net net>
Date: Sun, 13 Jul 1997 09:53:11 +0100 (BST)

On Sat, 12 Jul 1997, Jon Lewis wrote:

On Sat, 12 Jul 1997, Phil Howard wrote:

It isn't, or shouldn't be, an issue of whether the customer wants this
kind of service.  This is protection FROM that customer.  The principle
reason to not do this is the load it causes on the router.

Should it be discovered that source forged packets are coming from a given
customer, then you could apply this to that customer if they are not going
to just be summarily cut off.

The trouble is, unless you are silly enough to attack your own provider,
it seems unlikely that they will know you are spoofing.  i.e. In my
current situation, I doubt UUNet's ability or willingness to track these
packets to their source.

Hi, On Friday our network was suffering an identical attack as yours.  We 
are a UU-NET customer.  Once I had traced the exact neture of the attack, 
port numbers etc, I contacted UU-NET who *did* trace the source of the 
attack to one of their customers - I think inside AS701.

I was pretty impressesed - took them about an hour - I didn't overly think
that they would find the source but they located it down - with some help
from the source customer to the individual machine. I doubt it is the same
person doing the attacks as the source port for us was 13 (?) and the size
of udp packet was 1000 - but both attacks probably from the same program. 

Is there any way to put the originating AS into the (options part?) 
header of all ip packets as they leave one's border routers?  If tcpdump 
could then extract this informaton (which could only be forged by a very 
small minority of people on the network) tracing such attacks woukd a be 
a lot easier... I suppose adding that info into teh ip header would cause 
far too much load on the exit routers though?

Regards,

aid

Here's a breif snippit from just a minute ago:

12:19:13.494446 49.0.94.105.666 > 205.229.58.133.7: udp 1450 (ttl 244, id
31674)
12:19:13.504446 12.206.160.94.666 > 205.229.58.133.7: udp 1450 (ttl 244,
id 31675)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]