[45313] in North American Network Operators' Group
Re: distributed attack, high or not
daemon@ATHENA.MIT.EDU (Joseph T. Klein)
Wed Jan 30 21:46:51 2002
Date: Thu, 31 Jan 2002 02:51:42 +0000
From: "Joseph T. Klein" <jtk@titania.net>
To: nanog@merit.edu
Message-ID: <20020131025142.A12260@monet.titania.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Errors-To: owner-nanog-outgoing@merit.edu
I define it as random because the traffic rise could be seen
coming in from multiple providers and looked to be the same
percent from all sources (separate routers with separate
interfaces to separate ASNs in separate geographic locations).
The traffic was inbound and not backsplash from randomized
source addresses.
It looks to me like a infection with someone turning a control
knob. Is this common or a precusor of a bad thing?
The anomaly was exactly one hour long.
First I have seen of something like this in a relativly short time of
gathering stats ... which I'm doing for another project.
--On Thursday, 31 January 2002 02:09 +0000 Avleen Vig <lists-nanog@silverwraith.com> wrote:
> On Thu, 31 Jan 2002, Joseph T. Klein wrote:
> 
>> I saw what appears to be a distributed attack against a single IP
>> address that reached nearly 500Mbs. I was thinking that this is
>> high. Are people seeing any random attacks of this magnitude?
> 
> Please define random :)
> If you mean the source is random, then yes this attack is of a high
> magnitude and I've seen one other this bad.
> The addresses could be real, or spoofed - depending on the circumstance
> and exact nature of the attack it'll vary.
> 
> If you mean the target appears to be random, then you're probably just
> very very unlucky :(
> Attacks of this size are normally aimed at large IRC servers or large /
> popular websites.
> 
> -- 
> Avleen Vig
> Network Security Officer
> Smurf Amplifier Finding Executive: http://www.ircnetops.org/smurf
-- 
Joseph T. Klein
jtk@titania.net