[36192] in North American Network Operators' Group
RE: dsl providers that will route /24
daemon@ATHENA.MIT.EDU (Jason Slagle)
Thu Mar 29 21:12:46 2001
Date: Thu, 29 Mar 2001 21:10:34 -0500 (EST)
From: Jason Slagle <raistlin@tacorp.net>
To: David Schwartz <davids@webmaster.com>
Cc: nanog@nanog.org
In-Reply-To: <NCBBLIEPOCNJOAEKBEAKIEIGOBAA.davids@webmaster.com>
Message-ID: <Pine.BSO.4.21.0103292106160.13740-100000@mail.tacorp.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
--
Jason Slagle - CCNP - CCDA
Network Administrator - Toledo Internet Access - Toledo Ohio
- raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172
/"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
\ / ASCII Ribbon Campaign . If dreams are like movies then memories
X - NO HTML/RTF in e-mail . are films about ghosts..
/ \ - NO Word docs in e-mail . - Adam Duritz - Counting Crows
On Thu, 29 Mar 2001, David Schwartz wrote:
> They could do almost exactly the same amount of damage with an unspoofed
> UDP flood and it would still take a human action to stop it. The attack can
> still hop from victim to victim until the problem is stopped at its source.
> The problem still won't get stopped at its source until someone with the
> ability to stop it is summoned and alterted to the problem.
>
> Odds are, an attacker will used spoofed packets if he can. potentially
> spoofed packets will trigger an investigation on my network. An unspoofed
> UDP flood probably won't (especially if it hops from victim to victim).
>
> So if the attacker uses spoofed packets, he may get cut off at the source
> (and the problem actually solved) sooner. On the other hand, unspoofed
> packets will probably trigger a call to the administration of the source
> network faster. Of course, you don't know that attack is unspoofed, so you
> really can't be sure what the source is.
I can argue the converse of this.
Unless the attacker is spoofing a static source, I can usually spot a
potentially unspoofed attack. Even if he IS using a static spoofed
source, it only costs me a little bit to call and see if the packets are
indeed coming from the machine in question.
If I'm being attacked hard, chances are, I will notice it before you
examine your logs, unless like I said you have someone monitoring then 24
hours a day. I will then try to wake up a live body on your end to
investigate.
If the packets are spoofed, I have to wait for you to examine your logs to
potentially stop it, or attempt to get an upstream to do a traceback,
which is a long drawn out process.
Personally, I prefer to leave the ability to determine the likely source
of a non random attack in my hands, not waiting for you to view your logs.
And nothing says I CAN'T log if I deny spoofed packets, therefor catching
them when they try spoofed packets before realizing they won't work.
Jason
