Re: Been a victim of a DDoS

From: Gustavo Monserrat (segat_private)
Date: Wed Aug 15 2001 - 07:46:08 PDT

Next message: J Jewitt: "Re: Very thorough scan of web apps-"

Previous message: Tamer Sahin: "Re: tamersahin.net Code Red Cleaner v1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: Been a victim of a DDoSIt is actually crazy. :)

You're talking about something like a stateful inspection. It wouldn't work
for two reasons:

- First, sometimes traffic returns through a link that is not the one it
left our network from (unbalanced traffic).
- Second, it could take a huge amount of CPU and memory and could cause
quality service problems. We are your ISP, you wouldn't want that. :)

Regards,
Gustavo

----- Original Message -----
From: Kolus Maximiliano
To: 'Vitaly Osipov' ; Gustavo Monserrat
Cc: incidentsat_private
Sent: Tuesday, August 14, 2001 4:34 PM
Subject: RE: Been a victim of a DDoS


Hello!
> source icmp requests to some well-known amplifier networks, so each
> request results in 10-100 replies directed to the victim. There is no
> way to stop it though :) Try to contact admins of some networks which
        This may sound crazy, but could work:
        We agree that if there's an ICMP ECHO REPLY without an ICMP ECHO
REQUEST something
fishy is going on. If the gateway can store for, lets say, 1 minute the last
echo request, it can
allow only replies that match the requests on the table. I know it can take
a lot of memory and
CPU, but it could work for medium-sized organizations. Another idea that
will use CPU and memory is keeping
track of where are they comming; smurf ping broadcast addresses of
vulnerable networks, thus, we will
be seeing a lot of echo replies from the same network at once, such pattern
could be detected. And the last one, block
the offending network _before_ the attack using lists such as netscan's one
(http://www.netscan.org/).
--
Maximiliano A. Kolus
Network Administrator
<kolus.maximilianoat_private>
Bolsa De Comercio Rosario - Argentina
+54 341 4213471 / 78 ext 2291


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: J Jewitt: "Re: Very thorough scan of web apps-"
Previous message: Tamer Sahin: "Re: tamersahin.net Code Red Cleaner v1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 09:22:45 PDT