RE: Been a victim of a DDoSIt is actually crazy. :) You're talking about something like a stateful inspection. It wouldn't work for two reasons: - First, sometimes traffic returns through a link that is not the one it left our network from (unbalanced traffic). - Second, it could take a huge amount of CPU and memory and could cause quality service problems. We are your ISP, you wouldn't want that. :) Regards, Gustavo ----- Original Message ----- From: Kolus Maximiliano To: 'Vitaly Osipov' ; Gustavo Monserrat Cc: incidentsat_private Sent: Tuesday, August 14, 2001 4:34 PM Subject: RE: Been a victim of a DDoS Hello! > source icmp requests to some well-known amplifier networks, so each > request results in 10-100 replies directed to the victim. There is no > way to stop it though :) Try to contact admins of some networks which This may sound crazy, but could work: We agree that if there's an ICMP ECHO REPLY without an ICMP ECHO REQUEST something fishy is going on. If the gateway can store for, lets say, 1 minute the last echo request, it can allow only replies that match the requests on the table. I know it can take a lot of memory and CPU, but it could work for medium-sized organizations. Another idea that will use CPU and memory is keeping track of where are they comming; smurf ping broadcast addresses of vulnerable networks, thus, we will be seeing a lot of echo replies from the same network at once, such pattern could be detected. And the last one, block the offending network _before_ the attack using lists such as netscan's one (http://www.netscan.org/). -- Maximiliano A. Kolus Network Administrator <kolus.maximilianoat_private> Bolsa De Comercio Rosario - Argentina +54 341 4213471 / 78 ext 2291 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 09:22:45 PDT