[45315] in North American Network Operators' Group
Re: distributed attack, high or not
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Jan 30 22:16:44 2002
From: "Steven M. Bellovin" <smb@research.att.com>
To: "Joseph T. Klein" <jtk@titania.net>
Cc: nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 30 Jan 2002 22:14:18 -0500
Message-Id: <20020131031418.382937B4B@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
In message <20020131025142.A12260@monet.titania.net>, "Joseph T. Klein" writes:
>
>I define it as random because the traffic rise could be seen
>coming in from multiple providers and looked to be the same
>percent from all sources (separate routers with separate
>interfaces to separate ASNs in separate geographic locations).
>The traffic was inbound and not backsplash from randomized
>source addresses.
>
>It looks to me like a infection with someone turning a control
>knob. Is this common or a precusor of a bad thing?
>
It's a classic DDoS attack, aimed at you. Someone has lots of zombie
machines out there; at some point, they sent a command packet to all of
them, saying "bombard such-and-such an IP address for 3600 seconds".
Common? It happens frequently to someone. Precursor? Entirely
possible, though there's no way to know for sure. But it can be very
bad -- see http://news.zdnet.co.uk/story/0,,t269-s2103098,00.html
for what happened to a British ISP.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com
