[60493] in North American Network Operators' Group
RE: The impending DDoS storm
daemon@ATHENA.MIT.EDU (Jason Frisvold)
Wed Aug 13 11:10:29 2003
From: Jason Frisvold <friz@corp.ptd.net>
To: "Ingevaldson, Dan (ISS Atlanta)" <dsi@iss.net>
Cc: "Stephen J. Wilcox" <steve@telecomplete.co.uk>, nanog@merit.edu
In-Reply-To: <226A79C4618AD945B527EA7F475EA2C6321100@atlmaiexcp01.iss.local>
Date: Wed, 13 Aug 2003 11:07:11 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--=-HWxEjw1CgDl7bLnX1Y9v
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote:
> More info:
>=20
> -Opens a raw socket and spoofs its source address
It *appears* to us through current testing that the source address
spoofed is always within the class of the current subnet... So, a
spoofing filter that denies all but the local subnet may only be
partially affective..
> -Randomizes its source port, but destination is always TCP/80
> -Does one DNS lookup on "windowsupdate.com" and then uses the IP
> returned
> -The window size is always 16384 (this might be useful)
It also looks like there is no throttling at all.. it abuses as much
bandwidth as it possibly can...
>=20
> Regards,
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
> Daniel Ingevaldson
> Engineering Manager, X-Force R&D
> dsi@iss.net=20
> 404-236-3160
> =20
> Internet Security Systems, Inc.
> The Power to Protect
> http://www.iss.net
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
>=20
>=20
> -----Original Message-----
> From: Jason Frisvold [mailto:friz@corp.ptd.net]=20
> Sent: Wednesday, August 13, 2003 10:50 AM
> To: Ingevaldson, Dan (ISS Atlanta)
> Cc: Stephen J. Wilcox; nanog@merit.edu
> Subject: RE: The impending DDoS storm
>=20
>=20
> On Wed, 2003-08-13 at 10:14, Ingevaldson, Dan (ISS Atlanta) wrote:
> > It might be somewhat tricky to block TCP/80 going to=20
> > windowsupdate.com.
>=20
> I agree... but then, who needs updates anyways.. *grin*
>=20
> > Regards,
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
> > Daniel Ingevaldson
> > Engineering Manager, X-Force R&D
> > dsi@iss.net
> > 404-236-3160
> > =20
> > Internet Security Systems, Inc.
> > The Power to Protect
> > http://www.iss.net
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
> >=20
> >=20
> > -----Original Message-----
> > From: Stephen J. Wilcox [mailto:steve@telecomplete.co.uk]
> > Sent: Wednesday, August 13, 2003 10:38 AM
> > To: Jason Frisvold
> > Cc: nanog@merit.edu
> > Subject: Re: The impending DDoS storm
> >=20
> >=20
> >=20
> >=20
> > On Wed, 13 Aug 2003, Jason Frisvold wrote:
> >=20
> > > All,
> > >=20
> > > What is everyone doing, if anything, to prevent the apparent
> > upcoming
> > > DDoS attack against Microsoft? From what I've been reading, and=20
> > > what
> > > I've been told, August 16th is the apparent start date...
> > >=20
> > > We're looking for some solution to prevent wasting our network
> > > resources transporting this traffic, but at the same time trying to=20
> > > allow legitimate through...
> > >=20
> > > So, is anyone planning on doing anything?
> >=20
> > See previous discussion on filtering...
> >=20
> >=20
> > Other than that experience says if these things turn out to be big=20
> > enough to cause an issue then they quickly burn themselves out anyway
> >=20
> > Steve
--=20
---------------------------
Jason H. Frisvold
Backbone Engineering Supervisor
Penteledata Engineering
friz@corp.ptd.net
RedHat Engineer - RHCE # 807302349405893
Cisco Certified - CCNA # CSCO10151622
MySQL Core Certified - ID# 205982910
---------------------------
"Imagination is more important than knowledge.
Knowledge is limited. Imagination encircles
the world."
-- Albert Einstein [1879-1955]
--=-HWxEjw1CgDl7bLnX1Y9v
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQA/OlQbRsoFMdDaiQgRAgp+AJkBV9VhbtOpMX0xsTo3+9UJoeVJWwCfb0Wx
igKnQ+mIucppFU8aWXIgr5M=
=9qBq
-----END PGP SIGNATURE-----
--=-HWxEjw1CgDl7bLnX1Y9v--
