[60528] in North American Network Operators' Group
Re: The impending DDoS storm
daemon@ATHENA.MIT.EDU (Aaron Hopkins)
Wed Aug 13 16:47:49 2003
Date: Wed, 13 Aug 2003 13:46:38 -0700 (PDT)
From: Aaron Hopkins <lists@die.net>
To: Dan Hollis <goemon@anime.net>
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0308131120560.18194-100000@sasami.anime.net>
Errors-To: owner-nanog-outgoing@merit.edu
> has anyone tried tarpitting eg labrea to slow the worm?
I have been using my Linux kernel module ipt_TARPIT (included in the latest
netfilter.org patch-o-matic release) to do this for any IPs on my network
lacking a route, including outbound from my customers and inbound to my
unused address space.
While it is trying to scan routeless IPs, the tarpit slows it down to
scanning 20 IPs per ~9 minutes. (MSBlast has 20 connection slots, each
apparently timing out after ~9 minutes.) It normally appears to have a
several second connect timeout, so this slows it down by two orders of
magnitude with a similar drop in network traffic.
-- Aaron
