[31818] in North American Network Operators' Group
Re: DOS Attacks and reliable network contact data.
daemon@ATHENA.MIT.EDU (Basil Kruglov)
Sat Oct 21 19:11:23 2000
Date: Sat, 21 Oct 2000 18:04:53 -0500
From: Basil Kruglov <basil@cifnet.com>
To: nanog@nanog.org
Message-ID: <20001021180453.A95884@shell.cifnet.com>
Reply-To: nanog@nanog.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.BSO.4.21.0010211712030.9787-100000@mail.tacorp.net>; from raistlin@tacorp.net on Sat, Oct 21, 2000 at 05:14:53PM -0400
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, Oct 21, 2000 at 05:14:53PM -0400, Jason Slagle wrote:
> 21259901:21259901(0) ack 1412091198 win 2144 <mss 536>
> 22:30:52.822459 255.255.255.255.80 > 205.133.127.30.6667: R 0:0(0) ack
> 2473479669 win 0
> 22:30:52.822711 210.251.128.255.80 > 205.133.127.30.6667: R 0:0(0) ack
> 529389642 win 0
> 22:30:52.822962 195.53.123.0.80 > 205.133.127.30.6667: . ack 1625272127
> win 9112 (DF)
> 22:30:52.823213 152.158.37.127.80 > 205.133.127.30.6667: R 0:0(0) ack
> 1362286194 win 0
We do get this sort of crap daily at least 5 times a day, distributed
tcp/ack, tcp/syn, etc, over 40-50Kpps+ sometimes.. my list of over ~230
slave networks (in /24 format). Kids are after taking CPUs in routers
out and not killing you with hundrends and hundreeds of Mbps,
high-pps attacks are also very nasty, and of course everything
is over some stupid IRC issue.
> Their exists no reliable way to get the contact of a network without first
> querying arin, then apnic, then the .jp registry for instance. This is a
> royal PITA and is in no way scriptable that I can see.
What is neat is all those 'slaves' are spoofing inside their own /24
or whatever allocation they sit in, and it's very hard to persuade somebody
to look into this as they claim those ip addresses are not in use or
have only routers/switches and there is no way those devices could've
generated a [d]DoS attack.
--
Basil Kruglov [BK252-ARIN]
Network Engineering and Security
CIFNet, Inc.
