[47291] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Thu May 2 01:11:40 2002
Date: Thu, 2 May 2002 05:10:54 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Pete Kruckenberg <pete@kruckenberg.com>
Cc: <nanog@merit.edu>
In-Reply-To: <Pine.LNX.4.33.0205012048500.15300-100000@minot.kruckenberg.com>
Message-ID: <Pine.GSO.4.33.0205020505440.11583-100000@rampart.argfrp.us.uu.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 1 May 2002, Pete Kruckenberg wrote:
>
> On Wed, 1 May 2002 measl@mfn.org wrote:
>
> > and then again, there has been much discussion on simple
> > DoS attacks, where the term DDoS is erroneously used...
> > I am very much not trying to imply that this is the case
> > here, but it's important that the two be thoroughly
> > distinguished from each other - they are totally
> > different things to deal with.
>
> Sorry, I should have been more clear.
>
> My issue (currently) is not being the target of the DDoS
> attack, but being a (unwilling) participant. People outside
> our network are launching DDoS attacks (distributed SYN
> floods) against destinations outside our network, using
> about 8,000 Web server hosts on our network as reflectors.
Funny, you say 'secured' here...
>
> These are not zombies. They are secured, uncompromised Web
> servers. The attack spoofs the target address as the source,
> and one of our machines as a destination, port 80. Getting
> everyone to implement defenses (SYN cookies) on their Web
> servers is nearly impossible (most don't even have a
> defense--printers and routers with Web interfaces).
>
and here you say: "printers and routers" Since when did they need to be
accessible off campus? Additionally, why does a router need a web
interface?? Printers are on the cusp, but they certainly don't need to be
accesible from out of your LAN.
