[60050] in North American Network Operators' Group
Re: WANTED: ISPs with DDoS defense solutions
daemon@ATHENA.MIT.EDU (Rob Thomas)
Wed Jul 30 20:40:38 2003
Date: Wed, 30 Jul 2003 19:40:01 -0500 (CDT)
From: Rob Thomas <robt@cymru.com>
To: NANOG <nanog@merit.edu>
In-Reply-To: <Pine.LNX.4.44.0307302304330.14518-100000@pachabel.ednet.co.uk>
Errors-To: owner-nanog-outgoing@merit.edu
Hi, NANOGers.
Ooooo, you just knew I'd have to chime in eventually. :)
] 1) The OS/software/default settings for a lot of internet connected
] machines are weak, making it easy to attack from multiple locations.
Yep, quite true. Vulnerable hosts are a commodity, not a scarce
resource. There are 728958 entries in my hacked device database
since 01 JAN 2003 that attest to this fact.
] 2) A lot of networks have no customer or egress filtering and make it a
] lot more difficult to trace DDoS traffic because it generally uses faked
] source addresses.
I've tracked 1787 DDoS attacks since 01 JAN 2003. Of that number,
only 32 used spoofed sources. I rarely see spoofed attacks now.
When a miscreant has 140415 bots (the largest botnet I've seen
this year), spoofing the source really isn't a requirement. :|
Filtering the bogons does help, and everyone should perform
anti-spoofing in the appropriate places. It isn't, however, a
silver bullet.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
