Re: DDoS attacks, spoofed source addresses and adjusted TTLs
On Wed, 3 Aug 2005, Mike Tancsa wrote: > At 04:55 PM 03/08/2005, Christopher L. Morrow wrote: > > > hops away, the TTL of the packet when it got to me was 56). Yes, I know > > > those could be adjusted in theory to mask multiple sources, but in > > > practice > > > has anyone seen that ? > > > >what exactly was the question? > > You answered it mostly-- what do people see in the real world-- plain jane oh phew :) > dropped before they leave my network). Have that many networks implemented > RPF as to make spoofed addresses moot ? probably not :( reference the MIT spoofer project: paper -> http://www.mit.edu/~rbeverly/papers/spoofer-sruit05.html nanog preso -> http://www.nanog.org/mtg-0505/beverly.html project-homepage: http://spoofer.csail.mit.edu. probably simpler to just get bots than spoof.
Re: DDoS attacks, spoofed source addresses and adjusted TTLs
At 04:55 PM 03/08/2005, Christopher L. Morrow wrote: > hops away, the TTL of the packet when it got to me was 56). Yes, I know > those could be adjusted in theory to mask multiple sources, but in practice > has anyone seen that ? what exactly was the question? You answered it mostly-- what do people see in the real world-- plain jane unadulterated packets, or spoofed / manipulated ones. Of all the attacks I have suffered through, they all seemed to be from legit IP addresses save one and that was some time ago. However, except for 2 people in about 4 years, I have never gotten a response from various NOC/Abuse desks as to whether or not the attacking IPs I identified were in fact part of the attack or were spoofed. However, in the cases where I had customer PCs participating in attacks, there seems to be a higher percentage of random source addresses (which get dropped before they leave my network). Have that many networks implemented RPF as to make spoofed addresses moot ? ---Mike
Re: DDoS attacks, spoofed source addresses and adjusted TTLs
On Wed, 3 Aug 2005, Mike Tancsa wrote: > > > I had a DDoS this morning (~ 130Mb) against one of my hosts. Packets were > coming in all 3 of my transit links from a handful of source IP addresses > that sort of make sense in terms of the path they would take to get to > me. They were all large UDP packets of the form in reality almost no udp floods are spoofed, save dns-smurf attacks... so you probably saw legit hosts sending bad packets. > The TTLs all kind of make sense and are consistent (e.g. if the host is 8 > hops away, the TTL of the packet when it got to me was 56). Yes, I know > those could be adjusted in theory to mask multiple sources, but in practice > has anyone seen that ? I seem to recall reading the majority of DDoS > attacks do not come from spoofed source IP addresses. depends on the protocol, attacker and tools at their disposal most likely. I can say we see more non-spoofed than spoofed these days. (go botland go!) what exactly was the question?
DDoS attacks, spoofed source addresses and adjusted TTLs
I had a DDoS this morning (~ 130Mb) against one of my hosts. Packets were coming in all 3 of my transit links from a handful of source IP addresses that sort of make sense in terms of the path they would take to get to me. They were all large UDP packets of the form 09:08:58.981781 xx:xx:xx:xx:xx:xx yy:yy:yy:yy:yy:yy 0800 1514: 82.165.244.204 > ta.rg.et.IP: udp (frag 47080:[EMAIL PROTECTED]) (ttl 54, len 1 500) 0x0010 4242 4242 4242 4242 4242 4242 0x0020 4242 4242 4242 4242 4242 4242 4242 4242 0x0030 4242 4242 4242 4242 4242 4242 4242 4242 0x0040 4242 4242 4242 4242 4242 4242 4242 4242 0x0050 4242 4242 4242 4242 4242 4242 4242 4242 0x0060 4242 4242 4242 4242 4242 4242 4242 4242 The TTLs all kind of make sense and are consistent (e.g. if the host is 8 hops away, the TTL of the packet when it got to me was 56). Yes, I know those could be adjusted in theory to mask multiple sources, but in practice has anyone seen that ? I seem to recall reading the majority of DDoS attacks do not come from spoofed source IP addresses. Of the traffic snapshot I took, the break down seems to jive as well with the PTR records. i.e. PTR records that indicate a home broadband connection were less than PTR records suggesting a server in a datacentre somewhere. A few of the IPs involved capturing 1000 packets on one of my links at the time. 210 207.58.177.151 - server.creditprofits.com 287 65.39.230.20 - server4.xlservers.com 11 67.52.82.118 - rrcs-67-52-82-118.west.biz.rr.com 492 82.165.244.204 - u15178515.onlinehome-server.com It was pretty short lived as well -- about 8 min total. ---Mike Mike Tancsa, tel +1 519 651 3400 Sentex Communications,[EMAIL PROTECTED] Providing Internet since 1994www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
