Re: Odd DDoS, anyone else seen this?
> Looked just like a regular SYN flood to the target IP. Not sure why they > picked source addresses that were so obviously bogus though. > > Can anyone think of a reason why this sort of traffic should be routed at > all? Does anyone actually drop hosts on to addresses ending in x.x.x.0? x.x.0.0 is a valid ip address for networks with bit lengths of 0 through 15. And yes, folks do use /32 and /31 addresses which end in .0. > Rich
Re: Odd DDoS, anyone else seen this?
On Mon, 25 Nov 2002 [EMAIL PROTECTED] wrote: > > Can anyone think of a reason why this sort of traffic should be routed at > all? Does anyone actually drop hosts on to addresses ending in x.x.x.0? Generally not for end-stations since end-users tend to have broken software with lousy assumptions, but I've seen and used all of the last octect for infrastructure elements, especially loopbacks and point-to-point /31s. Only problems have been in people's heads. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: Odd DDoS, anyone else seen this?
if you have a subnet larger than /24 not using .0 and .255 gets somehwat wasteful... we have observed some versions of windows having trouble connecting to hosts ending in .255. On Tue, 26 Nov 2002 [EMAIL PROTECTED] wrote: > > On Mon, 25 Nov 2002, Christopher L. Morrow wrote: > > > > I've seen cable modem users have .0 ips. > > DSL ports too. I was spammed today from a Verizon DSL IP of 4.46.3.0. if you have a subnet larger than /24 not using .0 and .255 gets somehwat wasteful... we have observed some versions of windows having trouble connecting to hosts ending in .255. > -- > Jon Lewis *[EMAIL PROTECTED]*| I route > System Administrator| therefore you are > Atlantic Net| > _ http://www.lewis.org/~jlewis/pgp for PGP public key_ > -- -- Joel Jaeggli Academic User Services [EMAIL PROTECTED] --PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E -- In Dr. Johnson's famous dictionary patriotism is defined as the last resort of the scoundrel. With all due respect to an enlightened but inferior lexicographer I beg to submit that it is the first. -- Ambrose Bierce, "The Devil's Dictionary"
Re: Odd DDoS, anyone else seen this?
On Mon, 25 Nov 2002, Christopher L. Morrow wrote: > On Mon, 25 Nov 2002 [EMAIL PROTECTED] wrote: > > > > Can anyone think of a reason why this sort of traffic should be routed at > > all? Does anyone actually drop hosts on to addresses ending in x.x.x.0? > > > > I've seen cable modem users have .0 ips. DSL ports too. I was spammed today from a Verizon DSL IP of 4.46.3.0. -- Jon Lewis *[EMAIL PROTECTED]*| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Odd DDoS, anyone else seen this?
On Mon, 25 Nov 2002 14:03:14 GMT, [EMAIL PROTECTED] said: > I know that these are both legitimate IP addresses, but if they are only > being used for DDoS then surely we should look at locking them down (in > the same way as broadcast packets have been)? We should look at locking them down the same way we've looked at locking down broadcast packets? Or am I incorrect, and in fact Smurf attacks have become so rare that they are once again only of theoretical interest? msg07014/pgp0.pgp Description: PGP signature
Re: Odd DDoS, anyone else seen this?
On Mon, 25 Nov 2002 [EMAIL PROTECTED] wrote: > > Can anyone think of a reason why this sort of traffic should be routed at > all? Does anyone actually drop hosts on to addresses ending in x.x.x.0? > I've seen cable modem users have .0 ips.
Re: Odd DDoS, anyone else seen this?
> > Can anyone think of a reason why this sort of traffic should be routed at > > all? Does anyone actually drop hosts on to addresses ending in x.x.x.0? > > > > Yer, some dial providers that I've seen do it to make use of these > addresses, as x.x.x.0/32 is a perfectly valid host address. Interestingly we used to use /22s on our dial boxes and as a result of users with .0 or .255 addresses finding access problems to some areas of the Internet we stopped assigning them. Its curious just how many systems on the Internet are misconfigured or run software created by folks without proper understanding of the network protocols (M$). I wonder to what extent this poor engineering is detrimental to the ever changing Internet and if we'll hit a point where theres so many workarounds it becomes unmanageable.. (hmm, we might be pretty close from some of the things I've seen ;)
Re: Odd DDoS, anyone else seen this?
On Mon, 25 Nov 2002, Chris Roberts wrote: > Yer, some dial providers that I've seen do it to make use of these > addresses, as x.x.x.0/32 is a perfectly valid host address. I've seen this too. Dialup boxes that use dynamic pools prefer them to start on a subnet boundry so that they can announce a single aggregate route for the whole pool. However we ran into problems with using x.x.x.0 before (think it was a broken TCP/IP from some vendor or another) and so we moved the dynamic pools further up the subnet. Rich
Re: Odd DDoS, anyone else seen this?
On Mon, 25 Nov 2002, Stephen J. Wilcox wrote: > Glad to know its not just me.. DDoS is a problem for everyone, but only a few people seem to be trying to do anything about it. > FYI x.x.0.0 is a valid host address as is x.x.x.0 and it would be > technically incorrect to block it assuming it to be a network address > and therefore bogon. Agreed, but did a we quick risk analysis and we thought blocking the DDoS was the lesser of the two evils. Again, if anyone is actually using x.x.0.0 addresses for hosts it would be useful to know. > However this may be a way to do it if we see another attack, altho I > would strongly recommend against filtering x.x.x.0 I would doubt that > there are any valid x.x.0.0 host on the internet so could filter on > that.. That's what I expected, but wanted to see what effect it would have on legitimate traffic first. Again, it would be useful to know if anyone is dropping hosts on to x.x.x.0 as well. I know that these are both legitimate IP addresses, but if they are only being used for DDoS then surely we should look at locking them down (in the same way as broadcast packets have been)? Rich
Re: Odd DDoS, anyone else seen this?
Glad to know its not just me.. FYI x.x.0.0 is a valid host address as is x.x.x.0 and it would be technically incorrect to block it assuming it to be a network address and therefore bogon. However this may be a way to do it if we see another attack, altho I would strongly recommend against filtering x.x.x.0 I would doubt that there are any valid x.x.0.0 host on the internet so could filter on that.. Steve On Mon, 25 Nov 2002 [EMAIL PROTECTED] wrote: > On Mon, 25 Nov 2002, Stephen J. Wilcox wrote: > > > We saw many hundred thousand packets per second entering our network > > from various international peers, each packet was tcp destined to a > > single real end user IP address and sourced from a /16 network address > > eg 61.254.0.0, where the src was random and different on each packet but > > always x.x.0.0 > > Yes. We've asked all our upstreams to block it completely (with varying > degrees of success from it being permenantly blocked at their borders to > "we can't apply filters on your interface"). > > For Junos (I was informed that this is only available in 5.5), you can > filter using: > > 0.0.0.0/0.0.255.255 > > On a cisco you can block using: > > deny ip 0.0.0.0 255.255.0.0 any > > > I was unable to find out more about the data within the packet, the > > sheer volume made diagnosis impossible without killing the routers. > > Looked just like a regular SYN flood to the target IP. Not sure why they > picked source addresses that were so obviously bogus though. > > Can anyone think of a reason why this sort of traffic should be routed at > all? Does anyone actually drop hosts on to addresses ending in x.x.x.0? > > Rich > >
Re: Odd DDoS, anyone else seen this?
On Mon, 25 Nov 2002, Stephen J. Wilcox wrote: > We saw many hundred thousand packets per second entering our network > from various international peers, each packet was tcp destined to a > single real end user IP address and sourced from a /16 network address > eg 61.254.0.0, where the src was random and different on each packet but > always x.x.0.0 Yes. We've asked all our upstreams to block it completely (with varying degrees of success from it being permenantly blocked at their borders to "we can't apply filters on your interface"). For Junos (I was informed that this is only available in 5.5), you can filter using: 0.0.0.0/0.0.255.255 On a cisco you can block using: deny ip 0.0.0.0 255.255.0.0 any > I was unable to find out more about the data within the packet, the > sheer volume made diagnosis impossible without killing the routers. Looked just like a regular SYN flood to the target IP. Not sure why they picked source addresses that were so obviously bogus though. Can anyone think of a reason why this sort of traffic should be routed at all? Does anyone actually drop hosts on to addresses ending in x.x.x.0? Rich
