[83013] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

DDoS attacks, spoofed source addresses and adjusted TTLs

daemon@ATHENA.MIT.EDU (Mike Tancsa)
Wed Aug 3 11:30:01 2005

Date: Wed, 03 Aug 2005 10:24:03 -0400
To: nanog@nanog.org
From: Mike Tancsa <mike@sentex.net>
Errors-To: owner-nanog@merit.edu



I had a DDoS this morning (~ 130Mb) against one of my hosts. Packets were 
coming in all 3 of my transit links from a handful of source IP addresses 
that sort of make sense in terms of the path they would take to get to 
me.  They were all large UDP packets of the form

09:08:58.981781 xx:xx:xx:xx:xx:xx yy:yy:yy:yy:yy:yy 0800 1514: 
82.165.244.204 > ta.rg.et.IP: udp (frag 47080:1480@1480+) (ttl 54, len 1
500)
0x0010   yyyy yyyy 4242 4242 4242 4242 4242 4242            BBBBBBBBBBBB
0x0020   4242 4242 4242 4242 4242 4242 4242 4242        BBBBBBBBBBBBBBBB
0x0030   4242 4242 4242 4242 4242 4242 4242 4242        BBBBBBBBBBBBBBBB
0x0040   4242 4242 4242 4242 4242 4242 4242 4242        BBBBBBBBBBBBBBBB
0x0050   4242 4242 4242 4242 4242 4242 4242 4242        BBBBBBBBBBBBBBBB
0x0060   4242 4242 4242 4242 4242 4242 4242 4242        BBBBBBBBBBBBBBBB

The TTLs all kind of make sense and are consistent (e.g. if the host is 8 
hops away, the TTL of the packet when it got to me was 56).  Yes, I know 
those could be adjusted in theory to mask multiple sources, but in practice 
has anyone seen that ? I seem to recall reading the majority of DDoS 
attacks do not come from spoofed source IP addresses.

Of the traffic snapshot I took, the break down seems to jive as well with 
the PTR records. i.e. PTR records that indicate a home broadband connection 
were less than PTR records suggesting a server in a datacentre 
somewhere.  A few of the IPs involved capturing 1000 packets on one of my 
links at the time.

  210 207.58.177.151 - server.creditprofits.com
  287 65.39.230.20 -  server4.xlservers.com
   11 67.52.82.118 - rrcs-67-52-82-118.west.biz.rr.com
  492 82.165.244.204 - u15178515.onlinehome-server.com

It was pretty short lived as well -- about 8 min total.


         ---Mike




--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike
home help back first fref pref prev next nref lref last post