North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: What do you want your ISP to block today?
- From: Ray Wong
- Date: Sat Aug 30 03:56:58 2003
On Sat, Aug 30, 2003 at 08:33:54AM +0200, Iljitsch van Beijnum wrote:
> What would be great though is a system where there is an automatic
> check to see if there is any return traffic for what a customer sends
> out. If someone keeps sending traffic to the same destination without
> anything coming back, 99% chance that this is a denial of service
Eh? Have you ever run a mailing list? The majority of subscribers
NEVER post. Those who do, post prior to the large quantity of traffic
originates. I suppose the latter can be accounted for using positronic
equipment instead of electronic. =) Legit mailing lists may not be
99% of total traffic, but they're sure a good chunk of legit email.
> attack. If someone sends traffic to very many destinations and in more
> than 50 or 75 % of the cases nothing comes back or just an ICMP port
> unreachable or TCP RST, 99% chance that this is a scan of some sort.
Sure, and I scan my systems from outside all the time. I'm looking for
validation that my system has NOT started listening on ports I don't
run services on. It's called external monitoring, and is rather useful
in letting me get a good night's sleep. Could I do it locally? Sure,
but I'd still need a way to verify my sites can be reached from other
places. If you want to know how TCP is working to a destination, you
have to use TCP to test it. When I'm working a half dozen part-time
contracts, each of whom has multiple servers scattered around the
country, this traffic may well be nearly continuous. My employers
will "know" about this (it'll be in some memo that no one read), but I'm
not going to find every transit provider I cross to warn them, too much
hassle. I'm probably not even going to tell my ISP, as it's none of
Are those patterns common among DOS/DDOS? Sure. You'll need to do more
analysis than that to determine if that's, in fact, what you have. Scans
by themselves certainly aren't inherently dangerous. Heavy levels of them?
Well, who gets to define "heavy?" A cracker might need only 2 or 3 scans
to get the info needed to attack a site. I probably need a few hundred a
day to verify said cracker hasn't succeeded. A script kiddie might run
hundreds, or more, or less.