[53757] in North American Network Operators' Group
Re: Odd DDoS, anyone else seen this?
daemon@ATHENA.MIT.EDU (variable@ednet.co.uk)
Mon Nov 25 08:46:35 2002
Date: Mon, 25 Nov 2002 13:45:08 +0000 (GMT)
From: variable@ednet.co.uk
To: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
Cc: "nanog@merit.edu" <nanog@merit.edu>
In-Reply-To: <Pine.LNX.4.21.0211251258070.22504-100000@MrServer>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 25 Nov 2002, Stephen J. Wilcox wrote:
> We saw many hundred thousand packets per second entering our network
> from various international peers, each packet was tcp destined to a
> single real end user IP address and sourced from a /16 network address
> eg 61.254.0.0, where the src was random and different on each packet but
> always x.x.0.0
Yes. We've asked all our upstreams to block it completely (with varying
degrees of success from it being permenantly blocked at their borders to
"we can't apply filters on your interface").
For Junos (I was informed that this is only available in 5.5), you can
filter using:
0.0.0.0/0.0.255.255
On a cisco you can block using:
deny ip 0.0.0.0 255.255.0.0 any
> I was unable to find out more about the data within the packet, the
> sheer volume made diagnosis impossible without killing the routers.
Looked just like a regular SYN flood to the target IP. Not sure why they
picked source addresses that were so obviously bogus though.
Can anyone think of a reason why this sort of traffic should be routed at
all? Does anyone actually drop hosts on to addresses ending in x.x.x.0?
Rich
