Home page logo
/

nanog logo nanog mailing list archives

RE: The impending DDoS storm
From: Jason Frisvold <friz () corp ptd net>
Date: Wed, 13 Aug 2003 11:07:11 -0400

On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote:
More info:

-Opens a raw socket and spoofs its source address

It *appears* to us through current testing that the source address
spoofed is always within the class of the current subnet...  So, a
spoofing filter that denies all but the local subnet may only be
partially affective..

-Randomizes its source port, but destination is always TCP/80
-Does one DNS lookup on "windowsupdate.com" and then uses the IP
returned
-The window size is always 16384 (this might be useful)

It also looks like there is no throttling at all.. it abuses as much
bandwidth as it possibly can...


Regards,
===============================
Daniel Ingevaldson
Engineering Manager, X-Force R&D
dsi () iss net 
404-236-3160
 
Internet Security Systems, Inc.
The Power to Protect
http://www.iss.net
===============================


-----Original Message-----
From: Jason Frisvold [mailto:friz () corp ptd net] 
Sent: Wednesday, August 13, 2003 10:50 AM
To: Ingevaldson, Dan (ISS Atlanta)
Cc: Stephen J. Wilcox; nanog () merit edu
Subject: RE: The impending DDoS storm


On Wed, 2003-08-13 at 10:14, Ingevaldson, Dan (ISS Atlanta) wrote:
It might be somewhat tricky to block TCP/80 going to 
windowsupdate.com.

I agree... but then, who needs updates anyways.. *grin*

Regards,
===============================
Daniel Ingevaldson
Engineering Manager, X-Force R&D
dsi () iss net
404-236-3160
 
Internet Security Systems, Inc.
The Power to Protect
http://www.iss.net
===============================


-----Original Message-----
From: Stephen J. Wilcox [mailto:steve () telecomplete co uk]
Sent: Wednesday, August 13, 2003 10:38 AM
To: Jason Frisvold
Cc: nanog () merit edu
Subject: Re: The impending DDoS storm




On Wed, 13 Aug 2003, Jason Frisvold wrote:

All,

  What is everyone doing, if anything, to prevent the apparent
upcoming
DDoS attack against Microsoft?  From what I've been reading, and 
what
I've been told, August 16th is the apparent start date...

  We're looking for some solution to prevent wasting our network
resources transporting this traffic, but at the same time trying to 
allow legitimate through...

  So, is anyone planning on doing anything?

See previous discussion on filtering...


Other than that experience says if these things turn out to be big 
enough to cause an issue then they quickly burn themselves out anyway

Steve
-- 
---------------------------
Jason H. Frisvold
Backbone Engineering Supervisor
Penteledata Engineering
friz () corp ptd net
RedHat Engineer - RHCE # 807302349405893
Cisco Certified - CCNA # CSCO10151622
MySQL Core Certified - ID# 205982910
---------------------------
"Imagination is more important than knowledge.
Knowledge is limited. Imagination encircles
the world."
      -- Albert Einstein [1879-1955]

Attachment: signature.asc
Description: This is a digitally signed message part


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]