[30770] in North American Network Operators' Group
Re: Under DDoS attack; what do I do now?
daemon@ATHENA.MIT.EDU (Jim Duncan)
Wed Aug 30 13:59:07 2000
Message-Id: <200008301753.NAA05452@rtp-msg-core-1.cisco.com>
From: Jim Duncan <jnduncan@cisco.com>
To: Chris Adams <cmadams@hiwaay.net>, nanog@merit.edu
Cc: psirt@cisco.com
Reply-To: psirt@cisco.com
In-Reply-To: Message from Chris Adams <cmadams@hiwaay.net>
of "Wed, 30 Aug 2000 12:22:14 CDT." <20000830122214.H22661@HiWAAY.net>
Date: Wed, 30 Aug 2000 13:54:46 -0400
Errors-To: owner-nanog-outgoing@merit.edu
Chris Adams writes:
> We appear to be under a distributed denial of service attack. We are
> receiving 7.5+ megabits per second of ICMP traffic (it looks like a
> smurf attack) from all over to a single address (one that was in our
> dialup pool). We've taken the IP out of our pool and are routing it to
> a separate interface with a computer just setup to capture traffic.
>
> It isn't causing an immediate problem, since we've routed the traffic
> away, but what do we do next? We've been contacted by a couple of the
> people sending the ICMP replies complaining about us pinging them and
> told them about fixing distributed broadcast and they've said they'll
> look into it.
>
> What do we do to track this down? We've got four upstreams and the
> traffic appears to be coming in all four; do we need to call all of
> them? Is there any kind of organization that can help coordinate this?
>
> Thanks for any help you can give.
If Cisco equipment is involved, you can use the information at
http://www.cisco.com/warp/public/707/22.html to characterize the attack
and perhaps trace it. If you expect assistance from upstream, you'll
have to characterize the attack as much as possible. Since the source
addresses are usually spoofed, tracing the attack means that senior
network engineers have to look at each link along the path, and it's
going to be hard to get them interested if the traffic is not well
defined.
If you don't already know who to contact at each of your upstream
providers, open a case with their support desk. Most major ISPs and
NSPs have special teams that deal with attacks.
If one of the upstreams (or other sources) is a member of the Forum of
Incident Response and Security Teams (FIRST), you can look up the
specific response team's contact info at http://www.first.org/.
There's more info on mitigating DDoS attacks on the Cisco Security
Advisories page, http://www.cisco.com/warp/public/707/advisory.html.
If you need further help, you can contact the Cisco TAC. If it's a
bona-fide emergency, you can engage our group, the Cisco Product
Security Incident Response Team, to assist.
Jim
--
Jim Duncan, Product Security Incident Manager, Cisco Systems, Inc.
<http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
E-mail: <jnduncan@cisco.com> Phone(Direct/FAX): +1 919 392 6209
