--oFbHfjnMgUMsrGjO Content-Type: text/plain; charset=us-ascii Sounds like you have a nice response strategy for many attacks. But.... 2000-02-16-18:42:18 Barrett G. Lyon: > I first identify what type of attack in coming in and what the > targets of the attack are (host/service/user/..etc..). I then > immediately drop and log all packets from attacking network(s) (to > reduce load on attacked machines if it is a SYN attack, etc). [ > granted it is not possible with some sorts of attacks to drop and > log everything ] This is one of those sorts. Random source addresses, random ports, you can disconnect yourself from the net, but why bother, the attacker has already done that for you. The first hint you have something is going wrong looks more like a router crash than an attack. At least according to SANS, Yahoo was getting hit with as much as a gigabyte per second of data. I don't know about you, but if someone pointed something that big at me, the result wouldn't look like an attack on _me_, it would completely nuke my provider and all their customers, blow us all clean off the air. > You need to figure out who is actually doing the attack and > notify their providers with a clean description of what actually > took place. [...] When I think about it there is also an entire > forensics process of figuring out who was/is doing the attack. > I've found that before an attack begins the attacker usually does > a port scan or some sort of survey of the services on the target > system and usually the attacker does this from their own host and > not another host. They figure you will never link the attack to a > port scan or whatever the survey may be. . . When this DDoS is unleashed on you, you haven't been probed before; they aren't hunting for vulnerabilities, they're clogging your pipes and overwhelming your routers and servers. The packets you receive have random forged source addresses, so you can't track them to their source by examining the packets. The only thing you can tell by examining the packets is which router last touched that packet. So you can backtrace one step at a time, but as soon as you get to your borders, the backtraces start fanning out exponentially, since these attacks are mounted using thousands of systems simultaneously. It's possible that the attackers might have port-scanned the victims before launching these attacks --- anything's possible. But there's sure no reason for it; unless the attackers were dumb, the very first and only packets that hit the victims in any way connected with this attack or the attackers, were the torrents from the thousands of zombies, pouring in with forged source addrs. > I could write an entire book on this subject but my point is that > I really don't think large corporations are equipped to handle > nearly any type of DoS attack. They don't understand the dynamics > of the attacks and they don't understand the methods of surviving > an attack. This one you don't survive, and you don't handle. You lie there dead until the attacker takes their foot off your throat. In theory, perhaps, if the attacker were to have tried to keep one of these sites down for days or weeks, it might have been possible to start backtracking enough of the zombie hosts to begin to thin out the DDoS net. And it's always possible that the attacker has left enough tracks at one of the zombies to make it possible to backtrack them completely. But I wouldn't bet on it. > Too bad it is not possible for providers to practice proper egress > filter techniques, because after all that is what this is all > about. It's not only possible, that's the only real fix. It'll happen, too. But I'm not sure it'll be primarily the providers; I think despite the growth of the internet providing business a thousand-fold or more in the 1990s, the total amount of internet design and admin clue has remained constant. There are a lot of morons running backbones these days. I suspect ingress filtering will be rolled out faster by connecting customers than by providers. It's trivially easy to do, and doing it gets you immediate benefits. While you're at it, slap down IP Directed Broadcast filtering, too. -Bennett P.S. I've done a witepaper on DDoS at <URL:https://fridge.oven.com/~bet/DDoS/>. --oFbHfjnMgUMsrGjO Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4rWk9L6KAps40sTYRAfu5AJ9eUYI+H4MmtyZ/wgmYGNhlEhuIaQCgkA40 1wxLg+lju6L1z2+7EcEsF1s= =oXlZ -----END PGP SIGNATURE----- --oFbHfjnMgUMsrGjO--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:06:03 PDT