Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Denial of service attacks apparently from UUNET Netblocks

  • From: Barney Wolff
  • Date: Wed Oct 08 18:29:46 1997

Let me try again, since it seems I wasn't clear enough.  There's been
a lot of delightful talk about whether/how to retrieve the calling phone
on a given port.  But none about how to determine with confidence which
port the nasty packets come from.  Without source address assurance,
any user on any port of any dialin box can source packets with any IP
address(es) desired.  So you don't know which port to go get ANI/CLID
for.

What is also not explained is how to produce multi-megabit streams from
dialup.  MP?  Multiple independent calls?  Ping to broadcast with faked
source address?  Or was the attack not from dialup at all?  In other
words, I don't know why this attack generated a debate about ANI/CLID.

Barney Wolff

> Date: Wed, 8 Oct 1997 10:33:16 -0500 (CDT)
> From: Joe  Shaw <jshaw@insync.net>
> To: Barney Wolff <barney@databus.com>
> Cc: nanog@merit.edu
> Subject: Re: Denial of service attacks apparently from UUNET Netblocks
> Content-Length: 1151
> 
> On Tue, 7 Oct 1997, Barney Wolff wrote:
> > > Date: Tue, 7 Oct 1997 12:04:27 -0400 (EDT)
> > > From: Alex Przekupowski <oop@idt.net>
> > > 
> > > On the MAX's that I have set up, I log that info to syslog (Local 7), and
> > > can pull it up at will.  If you need a hand, just let me know.  By
> > > combining the syslog output, and the RADIUS accounting logs, we can
> > > definately prove at least the home address of the attacker.
> > 
> > How are you providing source address assurance, on either a MAX or a TNT?
> > My understanding, which may well be flawed, is that the only way is with
> > a filter.  I have heard claims, which may also be flawed, that filters
> > have a severe performance impact on MAX and TNT.
> > 
> > Without source address assurance, how do you know that the packets are
> > actually coming from the user who was assigned that address at that time?
> > 
> > Barney Wolff  <barney@databus.com>
> 
> What he means is that he can provide the number of the person who dialed
> into his equipment.  That information can be given to you on your PRI, and
> reported in both radius accounting and syslog.
> 
> Joe Shaw - jshaw@insync.net
> NetAdmin - Insync Internet Services
> 
> 




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.