North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: DDoS attacks
- From: Adam Herscher
- Date: Thu Jul 12 13:26:57 2001
> > This is pathetic. Someone asks for help and you demean them with jokes.
> Who was joking? I wasn't. I suppose that we should all start posting
> "HELP ME!" posts to NANOG instead of sending an email to/calling the NOC
> of networks with which we are having issues with DIRECTLY. All the
> original poster did was add to the impact of the attack in question. The
> attackers can now say, "Look! We kicked SO MUCH BUTT THAT THEY HAD TO GO
> WHINE ON NANOG! WE RULE!"
I did not originally reply because I figured you were going for a troll.
Now I realize you're just clueless.
Just because IRC servers are the first to feel the effects of a new,
intense denial of service attack does not mean it should be ignored. The
"they brought it upon themselves" argument lost all merit (hehe - Merit),
when we saw large corporations (yahoo, ebay, cnn, etc) being brought to
their knees by the same types of attacks.
For what its worth, what we've seen in these attacks is somewhat new (log
included below courtesy of Steven Nash, Lightning Internet). We should
deal with them (and the networks they are coming from) now, and stop this
lose the caps, lose the attitude, get a life, etc..
After dealing with all these attacks on lightning the past 48 hours, and
especially the past
24 hours, I noticed a trend. Very small arbitrary packets, built up of
(protocol FF (255)
with a s.port and d.port of 0. Here is what the last blast looked like:
AT3/0.147 22.214.171.124 Se1/0 126.96.36.199 FF 0000 0000
AT3/0.147 188.8.131.52 Se1/0 184.108.40.206 FF 0000 0000
AT3/0.147 220.127.116.11 Se1/0 18.104.22.168 FF 0000 0000
AT3/0.147 22.214.171.124 Se1/0 126.96.36.199 FF 0000 0000
AT3/0.147 188.8.131.52 Se1/0 184.108.40.206 FF 0000 0000
AT3/0.147 220.127.116.11 Se1/0 18.104.22.168 FF 0000 0000
AT3/0.147 22.214.171.124 Se1/0 126.96.36.199 FF 0000 0000
AT3/0.147 188.8.131.52 Se1/0 184.108.40.206 FF 0000 0000
AT3/0.147 220.127.116.11 Se1/0 18.104.22.168 FF 0000 0000
AT3/0.147 22.214.171.124 Se1/0 126.96.36.199 FF 0000 0000
AT3/0.147 188.8.131.52 Se1/0 184.108.40.206 FF 0000 0000
For those of you who aren't familiar with a netflow output, the second IP
the destination IP followed
by the Protocol (FF), the source port (0000), the destination port (0000)
the number of packets.