[83054] in North American Network Operators' Group
Re: DDoS attacks, spoofed source addresses and adjusted TTLs
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Wed Aug 3 16:56:24 2005
Date: Wed, 03 Aug 2005 20:55:55 +0000 (GMT)
From: "Christopher L. Morrow" <christopher.morrow@mci.com>
In-reply-to: <6.2.1.2.0.20050803100339.07079758@64.7.153.2>
To: Mike Tancsa <mike@sentex.net>
Cc: nanog@nanog.org
Errors-To: owner-nanog@merit.edu
On Wed, 3 Aug 2005, Mike Tancsa wrote:
>
>
> I had a DDoS this morning (~ 130Mb) against one of my hosts. Packets were
> coming in all 3 of my transit links from a handful of source IP addresses
> that sort of make sense in terms of the path they would take to get to
> me. They were all large UDP packets of the form
in reality almost no udp floods are spoofed, save dns-smurf attacks... so
you probably saw legit hosts sending bad packets.
> The TTLs all kind of make sense and are consistent (e.g. if the host is 8
> hops away, the TTL of the packet when it got to me was 56). Yes, I know
> those could be adjusted in theory to mask multiple sources, but in practice
> has anyone seen that ? I seem to recall reading the majority of DDoS
> attacks do not come from spoofed source IP addresses.
depends on the protocol, attacker and tools at their disposal most likely.
I can say we see more non-spoofed than spoofed these days. (go botland
go!)
what exactly was the question?
