Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: dsl providers that will route /24

  • From: Jason Slagle
  • Date: Thu Mar 29 21:13:40 2001



-- 
Jason Slagle - CCNP - CCDA
Network Administrator - Toledo Internet Access - Toledo Ohio
- raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172
/"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
\ /   ASCII Ribbon Campaign  . If dreams are like movies then memories
 X  - NO HTML/RTF in e-mail  .   are films about ghosts..
/ \ - NO Word docs in e-mail .     - Adam Duritz - Counting Crows


On Thu, 29 Mar 2001, David Schwartz wrote:

> 	They could do almost exactly the same amount of damage with an unspoofed
> UDP flood and it would still take a human action to stop it. The attack can
> still hop from victim to victim until the problem is stopped at its source.
> The problem still won't get stopped at its source until someone with the
> ability to stop it is summoned and alterted to the problem.
> 
> 	Odds are, an attacker will used spoofed packets if he can. potentially
> spoofed packets will trigger an investigation on my network. An unspoofed
> UDP flood probably won't (especially if it hops from victim to victim).
> 
> 	So if the attacker uses spoofed packets, he may get cut off at the source
> (and the problem actually solved) sooner. On the other hand, unspoofed
> packets will probably trigger a call to the administration of the source
> network faster. Of course, you don't know that attack is unspoofed, so you
> really can't be sure what the source is.

I can argue the converse of this.

Unless the attacker is spoofing a static source, I can usually spot a
potentially unspoofed attack.  Even if he IS using a static spoofed
source, it only costs me a little bit to call and see if the packets are
indeed coming from the machine in question.

If I'm being attacked hard, chances are, I will notice it before you
examine your logs, unless like I said you have someone monitoring then 24
hours a day.  I will then try to wake up a live body on your end to
investigate.

If the packets are spoofed, I have to wait for you to examine your logs to
potentially stop it, or attempt to get an upstream to do a traceback,
which is a long drawn out process.

Personally, I prefer to leave the ability to determine the likely source
of a non random attack in my hands, not waiting for you to view your logs.

And nothing says I CAN'T log if I deny spoofed packets, therefor catching
them when they try spoofed packets before realizing they won't work.

Jason






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.