Followup on ping flood

From: Talley, Brooks (brooksat_private)
Date: Sat May 05 2001 - 14:18:34 PDT

Next message: Keith Owens: "Re: DNS ports and scans"

Previous message: J C Lawrence: "Re: DNS ports and scans"
Next in thread: Philippe Bourcier: "Re: Followup on ping flood"
Reply: Philippe Bourcier: "Re: Followup on ping flood"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks to everyone who took the time to respond, publicly or privately.

We're still experiencing 18Mbps (not mbps, as one smart alleck noted
that 18 milli-bits wasn't very much at all) of incoming traffic.  It's
really not a big deal, as our pipe and router are fine with it.  It's
more just annoying, and disruptive of our stats and accounting.

Our ISP (AboveNet) has blocked several single addresses but it loath to
block an entire /16.  I don't really know why, but then again, I don't
really care.  Their abuse department is attempting to contact the
upstreams on the way back to the offending subnet, and in general
AboveNet has been really very responsive and helpful.

I appreciate the sentiment of the gentleman who cautioned against
jumping to the conclusion that the perpetrator is from China, in light
of recent political developments.  Still, since the site under attack is
www.whitehouse.org, and because in addition to the ping flood, we're
seeing more or less constant port scans originating from netblocks
registered to China, I think Occam's razor suggests that that's the most
likely interpretation.

I've forwarded on Andriy Bilous's interesting suggestion of asking our
upstream to implement CAR to rate limit ICMP.  On that note, we require
some ICMP into our network for other purposes, so we can't just block it
altogether upstream (and AboveNet is very resistant to implementing
packet filtering rules on their big routers, and I don't blame them).

This list is (and should be) technical rather than political, but this
situation has made be think a bit about how to react to international
net abuse, particularly with regards to the current political situation
vis-a-vis the US and China.  I've come to the conclusion that my first
instinct -- to simply block all traffic coming from China -- is actually
a bad idea all the way around.  The alternative I've come up with is
much more satisfying; I'm serving various human rights and international
news pages to my Chinese clients.

Anyways, I appreciate all the feedback.  I do suspect that the machines
attacking us were themselves compromised, as the traffic has fallen from
27Mbps to 18Mbps in a curve consistant with admins finding and shutting
off machines.  Plus, I don't think anyone wants to pay for that kind of
bandwidth for ping floods.

Thanks everyone
-Brooks

Next message: Keith Owens: "Re: DNS ports and scans"
Previous message: J C Lawrence: "Re: DNS ports and scans"
Next in thread: Philippe Bourcier: "Re: Followup on ping flood"
Reply: Philippe Bourcier: "Re: Followup on ping flood"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat May 05 2001 - 20:02:29 PDT