Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Been a victim of a DDoS

From: "Gustavo Monserrat" <seg () arnet net ar>
Date: Wed, 15 Aug 2001 11:46:08 -0300
RE: Been a victim of a DDoSIt is actually crazy. :)

You're talking about something like a stateful inspection. It wouldn't work
for two reasons:

- First, sometimes traffic returns through a link that is not the one it
left our network from (unbalanced traffic).
- Second, it could take a huge amount of CPU and memory and could cause
quality service problems. We are your ISP, you wouldn't want that. :)

Regards,
Gustavo

----- Original Message -----
From: Kolus Maximiliano
To: 'Vitaly Osipov' ; Gustavo Monserrat
Cc: incidents () securityfocus com
Sent: Tuesday, August 14, 2001 4:34 PM
Subject: RE: Been a victim of a DDoS


Hello!

source icmp requests to some well-known amplifier networks, so each
request results in 10-100 replies directed to the victim. There is no
way to stop it though :) Try to contact admins of some networks which

        This may sound crazy, but could work:
        We agree that if there's an ICMP ECHO REPLY without an ICMP ECHO
REQUEST something
fishy is going on. If the gateway can store for, lets say, 1 minute the last
echo request, it can
allow only replies that match the requests on the table. I know it can take
a lot of memory and
CPU, but it could work for medium-sized organizations. Another idea that
will use CPU and memory is keeping
track of where are they comming; smurf ping broadcast addresses of
vulnerable networks, thus, we will
be seeing a lot of echo replies from the same network at once, such pattern
could be detected. And the last one, block
the offending network _before_ the attack using lists such as netscan's one
(http://www.netscan.org/).
--
Maximiliano A. Kolus
Network Administrator
<kolus.maximiliano () bcr com ar>
Bolsa De Comercio Rosario - Argentina
+54 341 4213471 / 78 ext 2291


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: