[83056] in North American Network Operators' Group
Re: DDoS attacks, spoofed source addresses and adjusted TTLs
daemon@ATHENA.MIT.EDU (Mike Tancsa)
Wed Aug 3 17:11:44 2005
Date: Wed, 03 Aug 2005 17:13:22 -0400
To: "Christopher L. Morrow" <christopher.morrow@mci.com>
From: Mike Tancsa <mike@sentex.net>
Cc: nanog@nanog.org
In-Reply-To: <Pine.GSO.4.58.0508032053520.3650@parapet.argfrp.us.uu.net>
Errors-To: owner-nanog@merit.edu
At 04:55 PM 03/08/2005, Christopher L. Morrow wrote:
> > hops away, the TTL of the packet when it got to me was 56). Yes, I know
> > those could be adjusted in theory to mask multiple sources, but in practice
> > has anyone seen that ?
>
>what exactly was the question?
You answered it mostly-- what do people see in the real world-- plain jane
unadulterated packets, or spoofed / manipulated ones. Of all the attacks I
have suffered through, they all seemed to be from legit IP addresses save
one and that was some time ago. However, except for 2 people in about 4
years, I have never gotten a response from various NOC/Abuse desks as to
whether or not the attacking IPs I identified were in fact part of the
attack or were spoofed.
However, in the cases where I had customer PCs participating in attacks,
there seems to be a higher percentage of random source addresses (which get
dropped before they leave my network). Have that many networks implemented
RPF as to make spoofed addresses moot ?
---Mike
