Home page logo

nanog logo nanog mailing list archives

RE: The impending DDoS storm
From: "Darren Richer" <dricher () personainc ca>
Date: Thu, 14 Aug 2003 14:35:36 -0400

Assuming cable operators have enabled:

cable source-verify
cable source-verify dhcp

for Cisco IOS based CMTSes, spoofing in the same subnet will be dropped at
the CMTS.  Other vendors have similar features to mitigate this possibility.
The worst a cable operator would likely from this see is some upstream
saturation since the packets aren't dropped until the CMTS.


Darren Richer
Director of Telecommunications
Persona Communications Inc.

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
Michael Painter
Sent: August 14, 2003 2:16 PM
To: flyman2 () corp earthlink net; nanog () merit edu
Subject: Re: The impending DDoS storm


----- Original Message -----
From: "Josh Fleishman" <flyman2 () corp earthlink net>
To: <nanog () merit edu>
Sent: Thursday, August 14, 2003 5:24 AM
Subject: RE: The impending DDoS storm

Has anyone determined a method for triggering the DOS attack manually?
We've attempted this by changing an infected machine's clock, however it
did not work on our test box.  If anyone has triggered the attack, do
you have a copy of the sniffed data stream?

It sounds like uRPF is going to be of very little benefit to blocking
the attack if the spoofed addresses come from the infected host's
subnet/parent subnet.


-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of
Mark Vallar
Sent: Wednesday, August 13, 2003 7:18 PM
To: nanog () merit edu
Subject: Re: The impending DDoS storm

Jack Bates Wrote:

I have no affiliation with Microsoft, nor do I care about their
services or products. What I do care about is a worm that sends out
packets uncontrolled. If there is the possibility that this "planned"
DOS will cause issues with my topology, then I will do whatever it
takes to stop it. The fact that user's can't reach windowsupdate.com
is irrelevant.

There will most likely be issues with a lot of networks.

I had a glimpse of what is to come on the 16th on Tuesday.  We have a
firewall customer that had an infected machine behind the firewall and
the RTC clock was set incorrectly to 8/16.  The firewall was *logging*
~50 attempts per second trying to connect on port 80 to
windowsupdate.com. Since the worm was sending from a spoofed source
address the firewall was denying the packets.  This customers network is
a /24 out of traditional Class B space and I was seeing random source
addresses from almost every IP out of the /16.

This is not a forensic analysis, just what I observed in the firewall

Is it a coincidence that 8/16 is a Saturday....I think not.  A lot less
personal on-site to deal with possible issues.

-Mark Vallar

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]