Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DDoS attacks

  • From: Adam Herscher
  • Date: Thu Jul 12 13:26:57 2001

> > This is pathetic. Someone asks for help and you demean them with jokes. 
> 
> Who was joking?  I wasn't.  I suppose that we should all start posting
> "HELP ME!" posts to NANOG instead of sending an email to/calling the NOC
> of networks with which we are having issues with DIRECTLY.  All the
> original poster did was add to the impact of the attack in question.  The
> attackers can now say, "Look!  We kicked SO MUCH BUTT THAT THEY HAD TO GO
> WHINE ON NANOG!  WE RULE!"

I did not originally reply because I figured you were going for a troll.
Now I realize you're just clueless.

Just because IRC servers are the first to feel the effects of a new,
intense denial of service attack does not mean it should be ignored.  The
"they brought it upon themselves" argument lost all merit (hehe - Merit),
when we saw large corporations (yahoo, ebay, cnn, etc) being brought to
their knees by the same types of attacks.

For what its worth, what we've seen in these attacks is somewhat new (log
included below courtesy of Steven Nash, Lightning Internet).  We should
deal with them (and the networks they are coming from) now, and stop this
flame war.

lose the caps, lose the attitude, get a life, etc..

"kthx"

Adam Herscher
Administrator, irc.umich.edu

--

After dealing with all these attacks on lightning the past 48 hours, and
especially the past
24 hours, I noticed a trend.  Very small arbitrary packets, built up of
garbage
(protocol FF (255)
with a s.port and d.port of 0.  Here is what the last blast looked like:

---netflow snippit---

AT3/0.147     24.102.124.6    Se1/0         207.45.69.69    FF 0000 0000
48K
AT3/0.147     24.101.120.14   Se1/0         207.45.69.69    FF 0000 0000
4103
AT3/0.147     24.9.118.233    Se1/0         207.45.69.69    FF 0000 0000
7578
AT3/0.147     24.248.115.52   Se1/0         207.45.69.69    FF 0000 0000
465
AT3/0.147     24.9.71.197     Se1/0         207.45.69.69    FF 0000 0000
36K
AT3/0.147     24.18.81.210    Se1/0         207.45.69.69    FF 0000 0000
15K
AT3/0.147     24.101.82.141   Se1/0         207.45.69.69    FF 0000 0000
74K
AT3/0.147     24.102.41.106   Se1/0         207.45.69.69    FF 0000 0000
69K
AT3/0.147     24.8.59.35      Se1/0         207.45.69.69    FF 0000 0000
35K
AT3/0.147     24.7.1.224      Se1/0         207.45.69.69    FF 0000 0000
23K
AT3/0.147     24.9.29.11      Se1/0         207.45.69.69    FF 0000 0000
33K

[snip]

For those of you who aren't familiar with a netflow output, the second IP
is
the destination IP followed
by the Protocol (FF), the source port (0000), the destination port (0000)
and
the number of packets.

--







Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.