[74737] in North American Network Operators' Group
Re: BCP38 making it work, solving problems
daemon@ATHENA.MIT.EDU (Paul Vixie)
Wed Oct 13 12:54:40 2004
To: nanog@merit.edu
From: Paul Vixie <vixie@vix.com>
Date: 13 Oct 2004 16:54:05 +0000
In-Reply-To: <5.1.0.14.2.20041013095115.00aab940@mail.iucc.ac.il>
Errors-To: owner-nanog-outgoing@merit.edu
> >How many people have seen "forged" spoofed IP addresses being used
> >for DOS attacks lately?
syn-flood protection, and random TCP ISS, are now common enough that
spoofed-source isn't effective for TCP flows. if you want to bring down
somebody's web server then blackhats really do have to use real addresses.
however, if you just want to make their web server unreachable, then you
can either overload their DNS infrastructure or just congest their upstreams,
and you don't need to use real addresses for that.
i've never seen a dns attack that didn't have 50% or more packets coming
from spoofed sources, though due to loose-mode uRPF, most spoofed sources
in the last year or so have been from addresses for which a route exists.
--
Paul Vixie
