[182863] in North American Network Operators' Group
Re: GoDaddy : DDoS : : Contact
daemon@ATHENA.MIT.EDU (Mel Beckman)
Mon Aug 3 09:35:42 2015
X-Original-To: nanog@nanog.org
From: Mel Beckman <mel@beckman.org>
To: Stephen Satchell <list@satchell.net>
Date: Mon, 3 Aug 2015 13:35:26 +0000
In-Reply-To: <55BF65D3.9000602@satchell.net>
Cc: "<nanog@nanog.org>" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
But SYN floods are easily detected and deflected by all modern firewalls. I=
f a handshake doesn=92t complete within a certain time interval, the SYN is=
discarded.=20
Many DDOS attacks are full-fledged TCP sessions. The zombies are used to si=
mulate legitimate users, and because they=92re coming from thousands of leg=
itimate IP addresses sending what looks like completely normal traffic (e.g=
. HTTP queries) they are difficult to distinguish from real clients systems=
. There are of course unicast DDOS attacks prosecuted over UDP or ICMP. The=
majority I=92ve seen, however, are TCP.
In any event, I think it=92s not useful to misuse the term DDoS, and that i=
t refers to any attack where the source addresses are distributed across th=
e Internet, making them difficult to identify and therefore block.
-mel
> On Aug 3, 2015, at 6:00 AM, Stephen Satchell <list@satchell.net> wrote:
>=20
> On 08/03/2015 05:40 AM, Mel Beckman wrote:
>> What would be the point of spoofing the source IPs to be identical?
>> You're just making the attack trivial to block. Plus you could never
>> do any kind of TCP session attack, since you can't complete a
>> handshake. I would have to call this sort of attack a LAAADDoS (Lame
>> Attempt At A DDoS).:)
>=20
> Reflection attack as a secondary goal against the spoofed source IP? Prim=
ary goal would be a SYN flood of many servers.
