Thanks to everyone who took the time to respond, publicly or privately. We're still experiencing 18Mbps (not mbps, as one smart alleck noted that 18 milli-bits wasn't very much at all) of incoming traffic. It's really not a big deal, as our pipe and router are fine with it. It's more just annoying, and disruptive of our stats and accounting. Our ISP (AboveNet) has blocked several single addresses but it loath to block an entire /16. I don't really know why, but then again, I don't really care. Their abuse department is attempting to contact the upstreams on the way back to the offending subnet, and in general AboveNet has been really very responsive and helpful. I appreciate the sentiment of the gentleman who cautioned against jumping to the conclusion that the perpetrator is from China, in light of recent political developments. Still, since the site under attack is www.whitehouse.org, and because in addition to the ping flood, we're seeing more or less constant port scans originating from netblocks registered to China, I think Occam's razor suggests that that's the most likely interpretation. I've forwarded on Andriy Bilous's interesting suggestion of asking our upstream to implement CAR to rate limit ICMP. On that note, we require some ICMP into our network for other purposes, so we can't just block it altogether upstream (and AboveNet is very resistant to implementing packet filtering rules on their big routers, and I don't blame them). This list is (and should be) technical rather than political, but this situation has made be think a bit about how to react to international net abuse, particularly with regards to the current political situation vis-a-vis the US and China. I've come to the conclusion that my first instinct -- to simply block all traffic coming from China -- is actually a bad idea all the way around. The alternative I've come up with is much more satisfying; I'm serving various human rights and international news pages to my Chinese clients. Anyways, I appreciate all the feedback. I do suspect that the machines attacking us were themselves compromised, as the traffic has fallen from 27Mbps to 18Mbps in a curve consistant with admins finding and shutting off machines. Plus, I don't think anyone wants to pay for that kind of bandwidth for ping floods. Thanks everyone -Brooks
This archive was generated by hypermail 2b30 : Sat May 05 2001 - 20:02:29 PDT