[110945] in North American Network Operators' Group
Re: Are we really this helpless? (Re: isprime DOS in progress)
daemon@ATHENA.MIT.EDU (Danny McPherson)
Fri Jan 23 23:53:38 2009
From: Danny McPherson <danny@tcb.net>
To: NANOG list <nanog@nanog.org>
In-Reply-To: <75cb24520901232010q2aed7e49x36579a05e97108f@mail.gmail.com>
Date: Fri, 23 Jan 2009 21:53:32 -0700
Errors-To: nanog-bounces@nanog.org
On Jan 23, 2009, at 9:10 PM, Christopher Morrow wrote:
> On Fri, Jan 23, 2009 at 10:31 PM, <Valdis.Kletnieks@vt.edu> wrote:
>> On Fri, 23 Jan 2009 18:33:14 PST, Seth Mattinen said:
>>
>>> Back to my original question: is there really not a better solution?
>>
>> Well, we *could* hunt down the perpetrators, pool some $$, and hire
>> 3 or 4
>> baseball-bat wielding professional explainers to go explain our
>> position to
>> them. Figuring out how to do so without breaking any laws is the
>> tough part...
>
> Step one, find a device on your netowrk seeing the traffic
> step two, follow the stream(s) of traffic back to its ingress
> (hopefully a customer link on your network)
> step three, watch for associated traffic to the source of the dns
> queries, correlate this with other sources on your network to
> find/identify the control point for this effort.
You missed one.. Step 4: enable BCP 38 or similar
ingress source address spoofing mitigation mechanism
on all customer ingress interfaces (note: uRPF *loose*
mode no-fixie these attacks) - as you should have had
in the first place such that you didn't have to trace
those spoof packets step-by-step back through your
network.
No more excuses, people..
-danny
