[53758] in North American Network Operators' Group
Re: Odd DDoS, anyone else seen this?
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Mon Nov 25 08:50:26 2002
Date: Mon, 25 Nov 2002 13:49:06 +0000 (GMT)
From: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
To: variable@ednet.co.uk
Cc: "nanog@merit.edu" <nanog@merit.edu>
In-Reply-To: <Pine.LNX.4.44.0211251330340.23339-100000@pachabel.ednet.co.uk>
Errors-To: owner-nanog-outgoing@merit.edu
Glad to know its not just me..
FYI x.x.0.0 is a valid host address as is x.x.x.0 and it would be technically
incorrect to block it assuming it to be a network address and therefore bogon.
However this may be a way to do it if we see another attack, altho I would
strongly recommend against filtering x.x.x.0 I would doubt that there are any
valid x.x.0.0 host on the internet so could filter on that..
Steve
On Mon, 25 Nov 2002 variable@ednet.co.uk wrote:
> On Mon, 25 Nov 2002, Stephen J. Wilcox wrote:
>
> > We saw many hundred thousand packets per second entering our network
> > from various international peers, each packet was tcp destined to a
> > single real end user IP address and sourced from a /16 network address
> > eg 61.254.0.0, where the src was random and different on each packet but
> > always x.x.0.0
>
> Yes. We've asked all our upstreams to block it completely (with varying
> degrees of success from it being permenantly blocked at their borders to
> "we can't apply filters on your interface").
>
> For Junos (I was informed that this is only available in 5.5), you can
> filter using:
>
> 0.0.0.0/0.0.255.255
>
> On a cisco you can block using:
>
> deny ip 0.0.0.0 255.255.0.0 any
>
> > I was unable to find out more about the data within the packet, the
> > sheer volume made diagnosis impossible without killing the routers.
>
> Looked just like a regular SYN flood to the target IP. Not sure why they
> picked source addresses that were so obviously bogus though.
>
> Can anyone think of a reason why this sort of traffic should be routed at
> all? Does anyone actually drop hosts on to addresses ending in x.x.x.0?
>
> Rich
>
>
