[156812] in North American Network Operators' Group
Re: really nasty attacks
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Sep 27 11:23:06 2012
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <506468FE.15908.A42E19D@mmata.intercom.com.sv>
Date: Thu, 27 Sep 2012 11:21:06 -0400
To: "Miguel Mata" <mmata@intercom.com.sv>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sep 27, 2012, at 10:55 AM, Miguel Mata wrote:
> Guys,
>=20
> on recent days I've seen an UDP attack a couple of times. The attack =
is fairly simple, a full=20
> load of UDP packets filled with "X". The attacks comes from various =
sites from the other side=20
> of the pond (46.165.197.xx, 213.152.180.yy).
>=20
> Has anyone seen this kind of attack? Basically, the attack aims to =
fill your pipe (150Mbps=20
> over an STM1... guess what...) Then the question goes like this: =
besides asking your=20
> upstream provider to block, drop or whatever on the offending traffic, =
and Kontaktieren Sie=20
> den Administrator, what else can be done?
>=20
> Thanks in advance for any help you can provide.
>=20
> Please contact me off list. I'll post a recap on due time.
There are a lot of different attack types that one might see as an =
ISP/SP of services. 10 years+ ago it would be an ICMP flood. Some of us =
took to rate-limiting the icmp echo/echo-reply traffic to 2Mb/s on links =
to mitigate the flood.
UDP can be a powerful tool in the hands of a compromised server. I =
recall in 96 putting 100M of udp through a 10m firewall/nat midpoint. =
Had to drive to the office to kill the process.
Without knowing the nature of the pattern you are seeing, it is very =
hard to advise anything other than to contact your ISP for filtering. =
Traffic against udp/0 (fragments) would be handled different than others =
(eg: udp/80). I've seen many people just add udp/80 to their standard =
filters since I'm unaware of any UDP HTTP implementations.
You can try to determine why you were attacked, but that too can be as =
simple as a "script kiddie" on IRC to an attack with far more malicious =
motive and implications.
- Jared=
