RE: DoS attack... what to do?

["Drumm, Daniel" <dgdrumm () bf umich edu>]

-----Original Message-----
From: Bernie Cosell [mailto:bernie () fantasyfarm com] 
Sent: Tuesday, January 04, 2005 6:04 PM
To: incidents () securityfocus com
Subject: Re: DoS attack... what to do?

On 4 Jan 2005 at 16:44, Mark C wrote:

> 1) Netsky's 5556 is TCP, so I'd fire up netcat or something and see if

> actual 3-way handshakes happen.  If yes, then it's much less likely 
> that it's someone out in the world spoof SYNflooding you.  If no, then

> I'd treat this as a SYNflood and trace backwards through the ISP, 
> you'll probably find it's coming from far fewer sources than you
think.

How do you do this?  If the packets coming in have forged source-IP
addresses, how do you trace them backwards?

  /Bernie\

-----------

His point was that when the jost requests a SYN, it gets returned a SYN
ACK, which it will never ACK back correctly (unless it's doing accurate
sequence number guessing, which is hard), because the src-ip is actually
spoofed. So the src-ip is probably being randomly generated from a
number much less than 10,000 hosts. Maybe, say, 5. 

Finding those 5 via the ISP is not so simple as dialing the ISP up and
saying "trace these back".  But some providers can use ACLs and find out
which peering network is the ingress for the packets. More sophisticated
ISPs have equipment like Cisco Riverhead technology to help combat DDOS
by looking at the packets/dst-ports themselves and choosing to suppress.


Some of the technology attempts to match the BGP announcement for a
given network block with where it ingressed (using BGP community and
AS-PATH information). Beyond just seeing RFC1918 src-ips, this gives SPs
the ability to determine if given flows are spoofed and try and shut
them down.