North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DOS Attacks and reliable network contact data.
On Sat, Oct 21, 2000 at 05:14:53PM -0400, Jason Slagle wrote: > 21259901:21259901(0) ack 1412091198 win 2144 <mss 536> > 22:30:52.822459 255.255.255.255.80 > 188.8.131.52.6667: R 0:0(0) ack > 2473479669 win 0 > 22:30:52.822711 184.108.40.206.80 > 220.127.116.11.6667: R 0:0(0) ack > 529389642 win 0 > 22:30:52.822962 18.104.22.168.80 > 22.214.171.124.6667: . ack 1625272127 > win 9112 (DF) > 22:30:52.823213 126.96.36.199.80 > 188.8.131.52.6667: R 0:0(0) ack > 1362286194 win 0 We do get this sort of crap daily at least 5 times a day, distributed tcp/ack, tcp/syn, etc, over 40-50Kpps+ sometimes.. my list of over ~230 slave networks (in /24 format). Kids are after taking CPUs in routers out and not killing you with hundrends and hundreeds of Mbps, high-pps attacks are also very nasty, and of course everything is over some stupid IRC issue. > Their exists no reliable way to get the contact of a network without first > querying arin, then apnic, then the .jp registry for instance. This is a > royal PITA and is in no way scriptable that I can see. What is neat is all those 'slaves' are spoofing inside their own /24 or whatever allocation they sit in, and it's very hard to persuade somebody to look into this as they claim those ip addresses are not in use or have only routers/switches and there is no way those devices could've generated a [d]DoS attack. -- Basil Kruglov [BK252-ARIN] Network Engineering and Security CIFNet, Inc.