[80665] in North American Network Operators' Group
Re: anycast and ddos
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Sun May 8 05:57:13 2005
Date: Sun, 08 May 2005 12:53:29 +0300
To: "Christopher L. Morrow" <christopher.morrow@mci.com>
From: Hank Nussbacher <hank@mail.iucc.ac.il>
Cc: nanog@nanog.org
In-Reply-To: <Pine.GSO.4.58.0505070129170.13686@sharpie.argfrp.us.uu.net
>
Errors-To: owner-nanog@merit.edu
At 01:38 AM 07-05-05 +0000, Christopher L. Morrow wrote:
I scanned my Telescope report of 3,382 spoofed DDOS attacks last week (May
1-7) and could not find any listed for 216.168.229.0/24, worldnic.com,
netsol.com or AS6245.
-Hank
>worldnic.com. 86400 IN NS ns1.netsol.com.
>worldnic.com. 86400 IN NS ns2.netsol.com.
>worldnic.com. 86400 IN NS ns3.netsol.com.
>
>;; ADDITIONAL SECTION:
>ns1.netsol.com. 86400 IN A 216.168.229.228
>ns2.netsol.com. 86400 IN A 216.168.229.229
>ns3.netsol.com. 86400 IN A 216.168.229.229
>
>why have 3 records and 2 ips? odd. You'd think they would have more ips in
>that /21 or other /24's to allocate from, just in case they had to
>jettison 1 address which was getting pounded :( (not that these were
>getting attacked per-say, but still)
>
> > [0] - as it seems that the ddos sources were ip address
> > spoofed (which is why the service still worked for
> > tcp), i owe paul an apology for downplaying the
> > immediacy of the need for source address filtering.
> >
>
>It's also not clear that the sources were spoofed, if as Patrick says they
>put in a riverhead(s) (which isn't too far fetched) the normal mode for
>'protection' of DNS is to:
>1) truncate
>2) rate-limit - and cache (I think it caches atleast, I know it will go
>into proxy mode and rate-limit)
>
>truncate forces TCP which allows RHG to verify the source address is
>really asking to chat, rate-limit function keeps 'bad actors' from
>beatting the hell out of the protected resource.
>
>So, without more info from NetSol (seems not to be forthcoming?) about the
>mix of attack traffic (which the RHG will provide) it's hard to state
>definitively that the attack was 'mostly spoofed' :(