Home page logo
/

nanog logo nanog mailing list archives

Re: Are we really this helpless? (Re: isprime DOS in progress)
From: Danny McPherson <danny () tcb net>
Date: Fri, 23 Jan 2009 21:53:32 -0700


On Jan 23, 2009, at 9:10 PM, Christopher Morrow wrote:

On Fri, Jan 23, 2009 at 10:31 PM,  <Valdis.Kletnieks () vt edu> wrote:
On Fri, 23 Jan 2009 18:33:14 PST, Seth Mattinen said:

Back to my original question: is there really not a better solution?

Well, we *could* hunt down the perpetrators, pool some $$, and hire 3 or 4 baseball-bat wielding professional explainers to go explain our position to them. Figuring out how to do so without breaking any laws is the tough part...

Step one, find a device on your netowrk seeing the traffic
step two, follow the stream(s) of traffic back to its ingress
(hopefully a customer link on your network)
step three, watch for associated traffic to the source of the dns
queries, correlate this with other sources on your network to
find/identify the control point for this effort.

You missed one..  Step 4: enable BCP 38 or similar
ingress source address spoofing mitigation mechanism
on all customer ingress interfaces (note: uRPF *loose*
mode no-fixie these attacks) - as you should have had
in the first place such that you didn't have to trace
those spoof packets step-by-step back through your
network.

No more excuses, people..

-danny



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]