Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DDoS attacks, spoofed source addresses and adjusted TTLs

  • From: Christopher L. Morrow
  • Date: Wed Aug 03 16:57:00 2005


On Wed, 3 Aug 2005, Mike Tancsa wrote:

>
>
> I had a DDoS this morning (~ 130Mb) against one of my hosts. Packets were
> coming in all 3 of my transit links from a handful of source IP addresses
> that sort of make sense in terms of the path they would take to get to
> me.  They were all large UDP packets of the form

in reality almost no udp floods are spoofed, save dns-smurf attacks... so
you probably saw legit hosts sending bad packets.

> The TTLs all kind of make sense and are consistent (e.g. if the host is 8
> hops away, the TTL of the packet when it got to me was 56).  Yes, I know
> those could be adjusted in theory to mask multiple sources, but in practice
> has anyone seen that ? I seem to recall reading the majority of DDoS
> attacks do not come from spoofed source IP addresses.

depends on the protocol, attacker and tools at their disposal most likely.
I can say we see more non-spoofed than spoofed these days. (go botland
go!)

what exactly was the question?




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.