Home page logo

nanog logo nanog mailing list archives

Re: What do you want your ISP to block today?
From: Ray Wong <rayw () rayw net>
Date: Sat, 30 Aug 2003 00:54:27 -0700

On Sat, Aug 30, 2003 at 08:33:54AM +0200, Iljitsch van Beijnum wrote:
What would be great though is a system where there is an automatic 
check to see if there is any return traffic for what a customer sends 
out. If someone keeps sending traffic to the same destination without 
anything coming back, 99% chance that this is a denial of service 

Eh?  Have you ever run a mailing list?  The majority of subscribers
NEVER post.  Those who do, post prior to the large quantity of traffic
originates.  I suppose the latter can be accounted for using positronic
equipment instead of electronic. =)   Legit mailing lists may not be
99% of total traffic, but they're sure a good chunk of legit email.

attack. If someone sends traffic to very many destinations and in more 
than 50 or 75 % of the cases nothing comes back or just an ICMP port 
unreachable or TCP RST, 99% chance that this is a scan of some sort.

Sure, and I scan my systems from outside all the time. I'm looking for
validation that my system has NOT started listening on ports I don't
run services on.  It's called external monitoring, and is rather useful
in letting me get a good night's sleep.  Could I do it locally?  Sure,
but I'd still need a way to verify my sites can be reached from other
places.  If you want to know how TCP is working to a destination, you
have to use TCP to test it.  When I'm working a half dozen part-time
contracts, each of whom has multiple servers scattered around the
country, this traffic may well be nearly continuous.  My employers
will "know" about this (it'll be in some memo that no one read), but I'm
not going to find every transit provider I cross to warn them, too much
hassle.  I'm probably not even going to tell my ISP, as it's none of
their business.

Are those patterns common among DOS/DDOS?  Sure.  You'll need to do more
analysis than that to determine if that's, in fact, what you have.  Scans
by themselves certainly aren't inherently dangerous.  Heavy levels of them?
Well, who gets to define "heavy?"  A cracker might need only 2 or 3 scans
to get the info needed to attack a site.  I probably need a few hundred a
day to verify said cracker hasn't succeeded.  A script kiddie might run
hundreds, or more, or less.


Ray Wong
rayw () rayw net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]