North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
RE: The impending DDoS storm
- From: Jason Frisvold
- Date: Wed Aug 13 11:10:29 2003
On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote:
> More info:
>
> -Opens a raw socket and spoofs its source address
It *appears* to us through current testing that the source address
spoofed is always within the class of the current subnet... So, a
spoofing filter that denies all but the local subnet may only be
partially affective..
> -Randomizes its source port, but destination is always TCP/80
> -Does one DNS lookup on "windowsupdate.com" and then uses the IP
> returned
> -The window size is always 16384 (this might be useful)
It also looks like there is no throttling at all.. it abuses as much
bandwidth as it possibly can...
>
> Regards,
> ===============================
> Daniel Ingevaldson
> Engineering Manager, X-Force R&D
> dsi@iss.net
> 404-236-3160
>
> Internet Security Systems, Inc.
> The Power to Protect
> http://www.iss.net
> ===============================
>
>
> -----Original Message-----
> From: Jason Frisvold [mailto:friz@corp.ptd.net]
> Sent: Wednesday, August 13, 2003 10:50 AM
> To: Ingevaldson, Dan (ISS Atlanta)
> Cc: Stephen J. Wilcox; nanog@merit.edu
> Subject: RE: The impending DDoS storm
>
>
> On Wed, 2003-08-13 at 10:14, Ingevaldson, Dan (ISS Atlanta) wrote:
> > It might be somewhat tricky to block TCP/80 going to
> > windowsupdate.com.
>
> I agree... but then, who needs updates anyways.. *grin*
>
> > Regards,
> > ===============================
> > Daniel Ingevaldson
> > Engineering Manager, X-Force R&D
> > dsi@iss.net
> > 404-236-3160
> >
> > Internet Security Systems, Inc.
> > The Power to Protect
> > http://www.iss.net
> > ===============================
> >
> >
> > -----Original Message-----
> > From: Stephen J. Wilcox [mailto:steve@telecomplete.co.uk]
> > Sent: Wednesday, August 13, 2003 10:38 AM
> > To: Jason Frisvold
> > Cc: nanog@merit.edu
> > Subject: Re: The impending DDoS storm
> >
> >
> >
> >
> > On Wed, 13 Aug 2003, Jason Frisvold wrote:
> >
> > > All,
> > >
> > > What is everyone doing, if anything, to prevent the apparent
> > upcoming
> > > DDoS attack against Microsoft? From what I've been reading, and
> > > what
> > > I've been told, August 16th is the apparent start date...
> > >
> > > We're looking for some solution to prevent wasting our network
> > > resources transporting this traffic, but at the same time trying to
> > > allow legitimate through...
> > >
> > > So, is anyone planning on doing anything?
> >
> > See previous discussion on filtering...
> >
> >
> > Other than that experience says if these things turn out to be big
> > enough to cause an issue then they quickly burn themselves out anyway
> >
> > Steve
--
---------------------------
Jason H. Frisvold
Backbone Engineering Supervisor
Penteledata Engineering
friz@corp.ptd.net
RedHat Engineer - RHCE # 807302349405893
Cisco Certified - CCNA # CSCO10151622
MySQL Core Certified - ID# 205982910
---------------------------
"Imagination is more important than knowledge.
Knowledge is limited. Imagination encircles
the world."
-- Albert Einstein [1879-1955]
Attachment:
signature.asc
Description: This is a digitally signed message part
|
