[67734] in North American Network Operators' Group
Re: 80/udp floods?
daemon@ATHENA.MIT.EDU (Deepak Jain)
Wed Feb 18 20:04:25 2004
Date: Wed, 18 Feb 2004 20:01:24 -0500
From: Deepak Jain <deepak@ai.net>
To: "Wayne E. Bouchard" <web@typo.org>
Cc: Scott Call <scall@devolution.com>, nanog@merit.edu
In-Reply-To: <20040219004623.GA56612@typo.org>
Errors-To: owner-nanog-outgoing@merit.edu
Wayne E. Bouchard wrote:
> Yes, this seems to be a common thing these days. You send udp/LAGE udp
> packets and fragments to port 80 to saturate bandwidth and you combine
> that with compromised hosts successively opening and closing TCP
> connections to port 80 (Not a syn flood, actual connections that look
> to the router in terms of packet size etc to be legitimate.) A note
> that the majority of these hosts are from LACNIC and APNIC
> space. (with a smattering from RIPE) I almost never see ARIN address
> space used for these compromised hosts.
>
> Most of the attacks I've seen recently have used this setup.
>
> Easy enough to fend off except for the TCP 80 bit. For most of these
> attacks, I've taken to just filtering the entire LACNIC and APNIC
> address delegations at the host level for the durration of the
> incident since, in the general case, my customers (the ones that
> suffer these incidents) do little if any business in that region.
We've seen >1Gb/s connection filling attacks from ARIN space, especially
24.x blocks.
FYI,
Deepak Jain
AiNET
