[45097] in North American Network Operators' Group
Re: Growing DoS attacks
daemon@ATHENA.MIT.EDU (Pascal Gloor)
Wed Jan 16 18:10:10 2002
Message-ID: <005401c19ee3$54f39960$e7550fc3@spale.com>
From: "Pascal Gloor" <pascal.gloor@spale.com>
To: <nanog@nanog.org>
Date: Thu, 17 Jan 2002 00:12:55 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Since years, IRC (users and/or servers) gets dDoS... We also see a grow of
the dDoS attacks. For example on Undernet some servers get attacked every
day with 100+Mbps for a few minutes, and sometimes for long long hours...
Those attacks are usually comming from users - IRC Operators conflicts,
those users think they may ask anything to an OPER with the power of a dDoS.
We try to provide a free service, and all of us know how it is hard to get a
host with good connectivity for free and on the other side we see those
young 'script kiddies' playing around with hundreds of compromised hosts
like a game and they have no idea how much it costs to all the flooded
networks... Unlikely I have to say that most of these 'script kiddies' are
from Romania. I dont know why it's so many times comming from them....
If you run an well dDoS'ed IRC Server on your network I have a solution for
you... not the best one, but still technically working..
get a /24 (be carefull that there is no bigger network announced which would
include it!!! i mean like if you get 10.10.10/24, 10/8 would include it)
Get a box, and run Zebra BGPD, which will announce that /24 to your network.
Then do a script which monitors the traffic to the irc server, and on a
certain threshold, kill BGPD. wait a certain time, like 15minutes or so, and
restart BGPD. It would be nice to check the traffic every minute and if 2
consecutive checks are positive kill bgpd. That mean that you may be able
to STOP dDoS to irc servers within 2-3 minutes...
just my 0.00001 EUR
Cheers..
Pascal
