North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: DOS Attacks and reliable network contact data.
- From: rdobbins
- Date: Sun Oct 22 13:06:10 2000
That's why MPLS is such a Good Thing - attacks which would cripple
72xx-series & 75xx-series routers can actually be handled without flinching,
as the CPU overhead is reduced tremendously by making use of the switch's
muscle and efficiency.
One of my customers was getting DoSed all the time; his router (7206,
NPE-150) was seeing 75%-100% CPU utilization during these times (average was
50%). We took that 7206 and used it as the MLS-RP for a Catalyst 5509 he
had lying around (Sup-III, NFFC II), and now he just hums along when they
try and zorch his router. An attack which would max him out at 100% before
now drives his CPU to perhaps 25%.
His -average- CPU load went down from the aforementioned 50% to 5%, all
without changing the router in any way other than turning it into the
layer-3 engine for the switch. A pretty decent solution, for having been
put together from existing equipment.
Roland Dobbins <firstname.lastname@example.org> // 818.535.5024 voice
From: Basil Kruglov [mailto:email@example.com]
Sent: Saturday, October 21, 2000 4:05 PM
Subject: Re: DOS Attacks and reliable network contact data.
On Sat, Oct 21, 2000 at 05:14:53PM -0400, Jason Slagle wrote:
> 21259901:21259901(0) ack 1412091198 win 2144 <mss 536>
> 22:30:52.822459 255.255.255.255.80 > 22.214.171.124.6667: R 0:0(0) ack
> 2473479669 win 0
> 22:30:52.822711 126.96.36.199.80 > 188.8.131.52.6667: R 0:0(0) ack
> 529389642 win 0
> 22:30:52.822962 184.108.40.206.80 > 220.127.116.11.6667: . ack 1625272127
> win 9112 (DF)
> 22:30:52.823213 18.104.22.168.80 > 22.214.171.124.6667: R 0:0(0) ack
> 1362286194 win 0
We do get this sort of crap daily at least 5 times a day, distributed
tcp/ack, tcp/syn, etc, over 40-50Kpps+ sometimes.. my list of over ~230
slave networks (in /24 format). Kids are after taking CPUs in routers
out and not killing you with hundrends and hundreeds of Mbps,
high-pps attacks are also very nasty, and of course everything
is over some stupid IRC issue.
> Their exists no reliable way to get the contact of a network without first
> querying arin, then apnic, then the .jp registry for instance. This is a
> royal PITA and is in no way scriptable that I can see.
What is neat is all those 'slaves' are spoofing inside their own /24
or whatever allocation they sit in, and it's very hard to persuade somebody
to look into this as they claim those ip addresses are not in use or
have only routers/switches and there is no way those devices could've
generated a [d]DoS attack.
Basil Kruglov [BK252-ARIN]
Network Engineering and Security