North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: dsl providers that will route /24
- From: Jason Slagle
- Date: Thu Mar 29 21:13:40 2001
Jason Slagle - CCNP - CCDA
Network Administrator - Toledo Internet Access - Toledo Ohio
- firstname.lastname@example.org - email@example.com - WHOIS JS10172
/"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
\ / ASCII Ribbon Campaign . If dreams are like movies then memories
X - NO HTML/RTF in e-mail . are films about ghosts..
/ \ - NO Word docs in e-mail . - Adam Duritz - Counting Crows
On Thu, 29 Mar 2001, David Schwartz wrote:
> They could do almost exactly the same amount of damage with an unspoofed
> UDP flood and it would still take a human action to stop it. The attack can
> still hop from victim to victim until the problem is stopped at its source.
> The problem still won't get stopped at its source until someone with the
> ability to stop it is summoned and alterted to the problem.
> Odds are, an attacker will used spoofed packets if he can. potentially
> spoofed packets will trigger an investigation on my network. An unspoofed
> UDP flood probably won't (especially if it hops from victim to victim).
> So if the attacker uses spoofed packets, he may get cut off at the source
> (and the problem actually solved) sooner. On the other hand, unspoofed
> packets will probably trigger a call to the administration of the source
> network faster. Of course, you don't know that attack is unspoofed, so you
> really can't be sure what the source is.
I can argue the converse of this.
Unless the attacker is spoofing a static source, I can usually spot a
potentially unspoofed attack. Even if he IS using a static spoofed
source, it only costs me a little bit to call and see if the packets are
indeed coming from the machine in question.
If I'm being attacked hard, chances are, I will notice it before you
examine your logs, unless like I said you have someone monitoring then 24
hours a day. I will then try to wake up a live body on your end to
If the packets are spoofed, I have to wait for you to examine your logs to
potentially stop it, or attempt to get an upstream to do a traceback,
which is a long drawn out process.
Personally, I prefer to leave the ability to determine the likely source
of a non random attack in my hands, not waiting for you to view your logs.
And nothing says I CAN'T log if I deny spoofed packets, therefor catching
them when they try spoofed packets before realizing they won't work.