Hi All,
Can people make a quick check the for DDoS attacks on 209.220.100.158 in
the last 12 hours (to 00:00 17th Nov 2004 GMT+0) - I am trying to get
the exact time it appeared to occur, however I suspect it was in the
time period of 13:00-14:00 16th Nov 2004 GMT+0 which coincided with the
I've been trying to find out what the current BCP is for handling ddos
attacks. Mostly what I find is material about how to be a good
net.citizen (we already are), how to tune a kernel to better withstand
a syn flood, router stuff you can do to protect hosts behind it, how
to track the a
As a followup for those interested:
Matthew Sullivan wrote:
Can people make a quick check the for DDoS attacks on 209.220.100.158
in the last 12 hours (to 00:00 17th Nov 2004 GMT+0) - I am trying to
get the exact time it appeared to occur, however I suspect it was in
the time period of 13:00-14
My comment from September 11, 1996 (that's not a typo)
http://www.cctec.com/maillists/nanog/historical/9609/msg00302.html
But what's interesting is Paul Vixie is speaking about a very
narrow requirement, but when it gets translated into government
regulation talk, its very different than where
I too would be interested if someone could point a good white paper
for cisco DDOS protection mechanisms and best practices in general.
On Thu, May 20, 2004 at 11:52:01AM -0700, Mark Kent wrote:
>
> I've been trying to find out what the current BCP is for handling ddos
> attacks.
On Thu, May 20, 2004 at 11:52:01AM -0700, Mark Kent wrote:
>
> I've been trying to find out what the current BCP is for handling ddos
> attacks. Mostly what I find is material about how to be a good
> net.citizen (we already are), how to tune a kernel to better withstand
>
On Thursday, May 20, 2004 2:52 PM, Mark Kent wrote:
> I've been trying to find out what the current BCP is for handling ddos
> attacks. Mostly what I find is material about how to be a good
> net.citizen (we already are), how to tune a kernel to better withstand
> a syn flood,
resources I have available.
Good luck.
--ra
--
Rachael Treu-Gomes, CISSP [EMAIL PROTECTED]
..quis costodiet ipsos custodes?..
On Thu, May 20, 2004 at 11:52:01AM -0700, Mark Kent said something to the effect of:
>
> I've been trying to find out what the current BCP is for ha
/content/research/presentations/ddos_intro/
-Steve
On Thu, 20 May 2004, Mark Kent wrote:
>
> I've been trying to find out what the current BCP is for handling ddos
> attacks. Mostly what I find is material about how to be a good
> net.citizen (we already are), how to tune a
[EMAIL PROTECTED] disait :
>
> On Thu, May 20, 2004 at 11:52:01AM -0700, Mark Kent wrote:
> >
> > I've been trying to find out what the current BCP is for handling ddos
> > attacks. Mostly what I find is material about how to be a good
> > net.citizen (we al
On May 20, 2004, at 12:52 PM, Mark Kent wrote:
I've been trying to find out what the current BCP is for handling ddos
attacks. Mostly what I find is material about how to be a good
net.citizen (we already are), how to tune a kernel to better withstand
a syn flood, router stuff you can
[EMAIL PROTECTED] (Mark Kent) writes:
> I've been trying to find out what the current BCP is for handling ddos
> attacks. Mostly what I find is material about ... But I don't care
> about most of that. I care that a gazillion pps are crushing our border
> routers (72
- Original Message -
From: "Paul Vixie" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 20, 2004 9:48 PM
Subject: Re: handling ddos attacks
>
> [EMAIL PROTECTED] (Mark Kent) writes:
>
> > I've been trying to find out
On Thu, 20 May 2004, P.Schroebel wrote:
> Ok, I 'll buy that right now; we have a DDoS Attack on our core nameservers
> from 66.165.10.24. Where do we start, do I call the police in Bellingham or
> Washington State Police. We have blocked their ips but, we know they will
> come in another way.
C
On May 20, 2004, at 8:10 PM, Tim Wilde wrote:
Call your local branch of the US Secret Service, if you're in the
states,
and ask for their electronic crimes division. If you're not in the
states, contact your comprable local authority. They can work with
you to
coordinate with other jurisdictio
> Ok, I 'll buy that right now; we have a DDoS Attack on our core nameservers
> from 66.165.10.24. Where do we start, do I call the police in Bellingham or
> Washington State Police. We have blocked their ips but, we know they will
> come in another way.
the best thing is if you call the FBI, or
specifically slides 86-92 and 105-127.
-Hank
On Thu, May 20, 2004 at 11:52:01AM -0700, Mark Kent wrote:
>
> I've been trying to find out what the current BCP is for handling ddos
> attacks. Mostly what I find is material about how to be a good
> net.citizen (we already are), how to
: the best thing is if you call the FBI, or NIPC. if you call your local FBI
: field office and say you're experiencing a cyberattack and could they give
: you the number for NIPC then it'll probably produce the results you want,
: even if NIPC has been renamed one or more times since i last tal
On 21 May 2004 18:11 UTC Scott Weeks <[EMAIL PROTECTED]> wrote:
| How much more of my time do you think it'd take to convince
| international authorities that some kid who ran LC4 from Europe,
| got a password and put something from
| http://www.packetstormsecurity.org/DoS/index.html on one of th
On Fri, 21 May 2004 19:19:46 -, Richard Cox <[EMAIL PROTECTED]> said:
> While there are obvious difficulties with Russian (and neighbouring
> country) ISPs, for the rest of Europe any such misconduct gets fast
> action - as witness the speed with which Law Enforcement moved over
> the Sasser w
Howdy all,
So, i'm kind of new to this so please deal with my ignorance. But,
what is common practice these days for HTTP DDoS mitigation during an
attack? You can of course route every offending ip address to null0 at
your border. But, if it's a botnet or trojan or something, It's coming
from nu
> "Meanwhile, U.S. government security officials are discussing the
> possibility of creating new regulations that would require federal
> agencies to buy Internet service only from ISPs that have DDoS protection
> on their networks, according to people familiar with the situation. Such
> a d
Am I the only one to find this ludicrous?
Expecting ICANN to competently hand these things is
analogous to asking the Captain of the "Titanic"
about how to handle icebergs.
Peter
to be fair he only made one mistake in his career..
On Tue, 29 Oct 2002, Peter Salus wrote:
>
>
> Am I the only one to find this ludicrous?
>
> Expecting ICANN to competently hand these things is
> analogous to asking the Captain of the "Titanic"
> about how to handle icebergs.
>
> Peter
>
Source address verification at access layer and rate limiting icmp would
be fine starts.
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-nanog@;merit.edu] On Behalf Of
fingers
Sent: Tuesday, October 29, 2002 1:12 AM
To: [EMAIL PROTECTED]
Subject: Re: ICANN Targets DDoS Attacks
> Source address verification at access layer and rate limiting icmp would
> be fine starts.
these are "best practices" and not "DDoS Protection" imho
.
-Original Message-
From: fingers [mailto:fingers@;fingers.co.za]
Sent: Tuesday, October 29, 2002 10:04 AM
To: H. Michael Smith, Jr.
Cc: [EMAIL PROTECTED]
Subject: RE: ICANN Targets DDoS Attacks
> Source address verification at access layer and rate limiting icmp
would
> be fine starts.
> Agreed 100%, but Gov't (being run by lawyers) is well accustomed to
> defining what the meaning of 'is' is. If they dictate that ISPs employ
> "DDoS Protection", they will define what "DDoS Protection" means 'for
> the purposes of this policy'.
ah ok
the point I was trying to make is, there a
On Tue, 29 Oct 2002 08:34:22 CST, Peter Salus said:
> Expecting ICANN to competently hand these things is
> analogous to asking the Captain of the "Titanic"
> about how to handle icebergs.
Actually, it would be more like asking the Captain how to design bridges.
msg06309/pgp0.pgp
Descripti
I would point out that if we were to define it and provide the
definition to the proper authorities, it would go a long way towards
getting a definition that makes sense.
I, (and many others here I would imagine) can help get the definition to
the right ears if ya'll come up with it.
iii
f
0:26 AM
To: fingers
Cc: H. Michael Smith, Jr.; [EMAIL PROTECTED]
Subject: Re: ICANN Targets DDoS Attacks
I would point out that if we were to define it and provide the
definition to the proper authorities, it would go a long way towards
getting a definition that makes sense.
I, (and many oth
> Source address verification at access layer and rate limiting icmp would
> be fine starts.
>
Why would you like to regulate my ability to transmit and receive data
using ECHO and ECHO_REPLY packets? Why they are considered
harmful?
I´m all for source address verification though.
Pete
On Tue, 29 Oct 2002 22:25:44 +0200, Petri Helenius <[EMAIL PROTECTED]> said:
> Why would you like to regulate my ability to transmit and receive data
> using ECHO and ECHO_REPLY packets? Why they are considered
> harmful?
Smurf.
msg06314/pgp0.pgp
Description: PGP signature
On Tue, Oct 29, 2002 at 10:25:44PM +0200, Petri Helenius wrote:
>
> > Source address verification at access layer and rate limiting icmp would
> > be fine starts.
> >
> Why would you like to regulate my ability to transmit and receive data
> using ECHO and ECHO_REPLY packets? Why they are conside
*** REPLY SEPARATOR ***
On 10/29/2002 at 3:40 PM [EMAIL PROTECTED] wrote:
>On Tue, 29 Oct 2002 22:25:44 +0200, Petri Helenius <[EMAIL PROTECTED]>
said:
>
>> Why would you like to regulate my ability to transmit and receive
data
>> using ECHO and ECHO_REPLY packets? Why they ar
On Tue, Oct 29, 2002 at 12:48:39PM -0800, Jeff Shultz wrote:
>
>
>
> *** REPLY SEPARATOR ***
>
> On 10/29/2002 at 3:40 PM [EMAIL PROTECTED] wrote:
>
> >On Tue, 29 Oct 2002 22:25:44 +0200, Petri Helenius <[EMAIL PROTECTED]>
> said:
> >
> >> Why would you like to regulate my ab
On Tue, 29 Oct 2002 12:48:39 PST, Jeff Shultz said:
> >Smurf.
> Okay. What will this do to my user's ping and traceroute times, if
> anything? I've got users who tend to panic if their latency hits 250ms
> between here and the moon (slight exaggeration, but only slight).
>
> I just love it when
*** REPLY SEPARATOR ***
On 10/29/2002 at 3:54 PM Jared Mauch wrote:
>On Tue, Oct 29, 2002 at 12:48:39PM -0800, Jeff Shultz wrote:
>>
>>
>>
>> *** REPLY SEPARATOR ***
>>
>> On 10/29/2002 at 3:40 PM [EMAIL PROTECTED] wrote:
>>
>> >On Tue, 29 Oct 2002 22:25:
On Tue, 29 Oct 2002, Jeff Shultz wrote:
>
>
>
> *** REPLY SEPARATOR ***
>
> On 10/29/2002 at 3:54 PM Jared Mauch wrote:
>
> >On Tue, Oct 29, 2002 at 12:48:39PM -0800, Jeff Shultz wrote:
> >>
> >>
> >>
> >> *** REPLY SEPARATOR ***
> >>
> >> On 10/29/2002
On Tue, Oct 29, 2002 at 01:03:52PM -0800, Jeff Shultz wrote:
> >> On 10/29/2002 at 3:40 PM [EMAIL PROTECTED] wrote:
> >> >On Tue, 29 Oct 2002 22:25:44 +0200, Petri Helenius <[EMAIL PROTECTED]>
> >> said:
> >> >
> >> >> Why would you like to regulate my ability to transmit and receive
> >> data
> >
]
Subject: Re: ICANN Targets DDoS Attacks
On Tue, Oct 29, 2002 at 01:03:52PM -0800, Jeff Shultz wrote:
> >> On 10/29/2002 at 3:40 PM [EMAIL PROTECTED] wrote:
> >> >On Tue, 29 Oct 2002 22:25:44 +0200, Petri Helenius
> >> ><[EMAIL PROTECTED]>
> >> sai
On Tue, Oct 29, 2002 at 01:24:11PM -0800, Dan Lockwood wrote:
> Would anyone be willing to post an operational example of CAR for ICMP.
> I would like to see what others are doing to combat the problem.
>
> Dan
>
rate-limit input access-group 2000 1536000 20 20 conform-action transmit
On Tue, Oct 29, 2002 at 04:31:50PM -0500, Jared Mauch wrote:
> On Tue, Oct 29, 2002 at 01:24:11PM -0800, Dan Lockwood wrote:
> > Would anyone be willing to post an operational example of CAR for ICMP.
> > I would like to see what others are doing to combat the problem.
> >
> > Dan
> >
>
> rate-
u obviously don't understand how
traceroute works by sending udp packets and getting icmp ttl expired
messages back which are not icmp {echo,echo-reply}. Come back when you do
understand how it works. /sigh
> that DDOS attacks are all smurf based? They've just found a solution to 1996's
ct. I also don't think it's a good idea, though -- it might help
to identify or prevent some problems in the short term, but in the long
run, it's a race we can't win -- if everyone limits ICMP, people will
launch DDos attacks with, say, packets to 80/tcp -- rate limiting that
is mo
On 29 Oct 2002 at 20:51, Brett Frankenberger wrote:
Brett! Long time, no hear, now that the Nortel/Bay newsgroup has
pretty much wound down. Like Usenet in general.
> Addressing just the issue of how traceroute works, I'll point out that
> (a) Most or all flavors of traceroute distributed b
On Tue, 29 Oct 2002 16:00:06 -0500, [EMAIL PROTECTED] wrote,
> On Tue, 29 Oct 2002 12:48:39 PST, Jeff Shultz said:
>
> > >Smurf.
>
> > Okay. What will this do to my user's ping and traceroute times, if
> > anything? I've got users who tend to panic if their latency hits 250ms
> > between here and
On Wed, 30 Oct 2002 13:35:38 PST, "Crist J. Clark" said:
(OK.. *technically*, Christ is correct.. you can't tell.. but still)
> On the classless Internet, how does any router know what is or is not
> a broadcast address when the final destination is not local?
Bitch bitch whine whine.
Why is it
On Wed, Oct 30, 2002 at 10:13:11PM -0500, [EMAIL PROTECTED] wrote:
> On Wed, 30 Oct 2002 13:35:38 PST, "Crist J. Clark" said:
>
> (OK.. *technically*, Christ is correct.. you can't tell.. but still)
>
> > On the classless Internet, how does any router know what is or is not
> > a broadcast addre
--On 29 October 2002 21:11 + "Stephen J. Wilcox"
<[EMAIL PROTECTED]> wrote:
As they say, if you dont set the rate limit too low then you wont
encounter drops under normal operation.
It would be useful if [vendor-du-jour] implemented rate-limiting
by hased corresponding IP address.
IE:
h
is any active working group persuing this matter seriously?
-rgds
Alok
- Original Message -
From: alok <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Saturday, November 02, 2002 4:26 AM
Subject: Re: ICANN Targets DDoS Attacks
>The first
;; <[EMAIL PROTECTED]>
> Sent: Saturday, November 02, 2002 4:26 AM
> Subject: Re: ICANN Targets DDoS Attacks
>
>
>
>
> >The first, dropping broadcasts destined to your customers, is possibly
> >doable, but not trivial.
>
> --> IGP learnt networks
>> -> a very small percentage cud be blocked if u were willing to link
this to BGP learnt networks..at least those are "complete networks", not
subnetted
ofcourse its a very small portion, mebbe u cud ask guys to send more
specific BGP routes from now
I am assuming you mean 'mark /
-
>> From: alok <[EMAIL PROTECTED]>
>> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
>> Sent: Saturday, November 02, 2002 4:26 AM
>> Subject: Re: ICANN Targets DDoS Attacks
>>
>>
>>
>>
>>> The first, dropping broadcasts des
<[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; nanog <[EMAIL PROTECTED]>
Sent: Tuesday, November 05, 2002 5:58 AM
Subject: Re: ICANN Targets DDoS Attacks
ok, so i exploited the ambiguity in the original question.
wrt "active" - there is a sub-group from w
>> -> a very small percentage cud be blocked if u were willing to link
>> this to BGP learnt networks..at least those are "complete networks", not
>> subnetted
>>
>> ofcourse its a very small portion, mebbe u cud ask guys to send more
>> specific BGP routes from now
I am assuming y
On Mar 25, 2008, at 5:02 AM, Mike Lyon wrote:
Any input would be greatly appreciated.
There are devices available today from different vendors (including
Cisco, full disclosure) which are intelligent DDoS-'scrubbers' and
which can deal with more sophisticated types of attacks at layer-7
On Mon, Mar 24, 2008 at 5:18 PM, Roland Dobbins <[EMAIL PROTECTED]> wrote:
> There are devices available today from different vendors (including
> Cisco, full disclosure) which are intelligent DDoS-'scrubbers' and
> which can deal with more sophisticated types of attacks at layer-7,
> includin
On Mar 25, 2008, at 6:18 AM, Tim Yocum wrote:
If you're running Apache, you may also investigate mod_evasive, and in
the case of exploits, mod_security.
mod_evasive and mod_security are definitely recommended, good point.
And a good relationship with your peers/upstreams/customers/vendors
[EMAIL PROTECTED] ("Mike Lyon") writes:
> So, i'm kind of new to this so please deal with my ignorance.
:-). on the internet, everybody's new to everything since it's all
changing every day. if anybody grumps at you for your ignorance, or
says "i can't type that into an IOS prompt" then the fa
Paul Vixie wrote:
i only use or recommend operating systems that have their own host based
firewalls. soon that will mean pf (from openbsd but available on freebsd)
pf's tables are nifty too btw :)
pfsense, which is FreeBSD + pf, also has a port of snort IDS available.
Provided the OP has
On Mon, Mar 24, 2008 at 11:34:58PM +, Paul Vixie wrote:
>
> i only use or recommend operating systems that have their own host based
> firewalls. soon that will mean pf (from openbsd but available on freebsd)
> but right now that means ipfw. ipfw has a "table" construct which uses a
> data
issue. In any case,
it's reactive.
Frank
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike
Lyon
Sent: Monday, March 24, 2008 5:02 PM
To: NANOG
Subject: Mitigating HTTP DDoS attacks?
Howdy all,
So, i'm kind of new to this so please de
On Mar 25, 2008, at 8:10 AM, Frank Bulk - iNAME wrote:
In any case, it's reactive.
Several SPs (quite a few, actually) are offering DDoS mitigation
services based upon a variety of tools and techniques, and with
various pricing models. Some provide the service for their own
transit/h
Mike Lyon wrote:
So, i'm kind of new to this so please deal with my ignorance. But,
what is common practice these days for HTTP DDoS mitigation during an
attack? You can of course route every offending ip address to null0 at
your border. But, if it's a botnet or trojan or something, It's coming
ta and then deliver clean traffic back to
your network. Its completly transparent to you're clients. Its not
cheap but i've worked with a few internet based trading companies who
used this service to litigate DDOS attacks on their network
infrastructure.
--
[ Rodrick R. Brown ]
http://www.rodrickbrown.com
http://www.linkedin.com/in/rodrickbrown
> On Mon, Mar 24, 2008 at 11:34:58PM +, Paul Vixie wrote:
>> i only use or recommend operating systems that have their own host based
>> firewalls.
That was exactly my problem.
Barney Wolff wrote:
> What finally broke was doing a table list, possibly because the
> command prints in sorted
Lyon
Sent: Monday, March 24, 2008 6:02 PM
To: NANOG
Subject: Mitigating HTTP DDoS attacks?
Howdy all,
So, i'm kind of new to this so please deal with my ignorance. But,
what is common practice these days for HTTP DDoS mitigation during an
attack? You can of course route every offending ip a
ervice. Prolexic will basically absorbs all
> attacks filter out the bad data and then deliver clean traffic back to
> your network. Its completly transparent to you're clients. Its not
> cheap but i've worked with a few internet based trading companies who
> used this service to lit
On 3/25/08, Peter Dambier <[EMAIL PROTECTED]> wrote:
>
>
> proc2pl might get you ideas, from the ISAON tools on
You know, for the last year or two I've heard you go on and on about IASON.
A few months ago I actually did download it and the only thing I can find in
it is an assortment of scripts t
Hello everyone,
I recently finished the latest beta release of a tool to detect (and
possibly block) DoS/DDoS attacks. There are a few problems that I am
trying to resolve, but all in all it seems to work. The tool is released
under the GPL (i.e. it is free to use and modify the source
find out what the current BCP is for handling ddos
attacks. Mostly what I find is material about how to be a good
net.citizen (we already are), how to tune a kernel to better withstand
a syn flood, router stuff you can do to protect hosts behind it, how
to track the attack back to the source, how
There's been plenty of discussion about DDoS attacks, and my
IDS system is darn good at identifying them. But what are
effective methods for large service-provider networks (ie
ones where a firewall at the front would not be possible) to
deal with DDoS attacks?
Current method of updating
nse and are consistent (e.g. if the host is 8
hops away, the TTL of the packet when it got to me was 56). Yes, I know
those could be adjusted in theory to mask multiple sources, but in practice
has anyone seen that ? I seem to recall reading the majority of DDoS
attacks do not come from spoo
http://www.secsup.org/Tracking/
UUNet uses that...others might as well, Shrug.
Quick, simple, effective tracking of DDoS attacks.
As for identifying attacks, quite honestly large ISP's are typically still
relying on customer notification. I know that's how we do it.
On Wed,
On Wed, 1 May 2002, Pete Kruckenberg wrote:
> A rather extensive survey of DDoS papers has not resulted in
> much on this topic.
>
> What processes and/or tools are large networks using to
> identify and limit the impact of DDoS attacks?
Hazaa.. something I know a little about
On Wed, May 01, 2002 at 05:18:24PM -0600, Pete Kruckenberg wrote:
>
> A rather extensive survey of DDoS papers has not resulted in
> much on this topic.
>
> What processes and/or tools are large networks using to
> identify and limit the impact of DDoS attacks?
"
On Thu, May 02, 2002 at 01:49:40AM +0100, Avleen Vig wrote:
>
> DDoS attacks by their very nature, are distributed. The primary purpose
> of more DDoS attacks is to flood the target's upstream connection to the
> point of saturation.
Actually the original goal (and probably
On Wed, 1 May 2002, Pete Kruckenberg wrote:
> There's been plenty of discussion about DDoS attacks,
and then again, there has been much discussion on simple DoS attacks, where
the term DDoS is erroneously used... I am very much not trying to imply that
this is the case here,
> > What processes and/or tools are large networks using to
> > identify and limit the impact of DDoS attacks?
>
> A great deal of thought is being expended on this question, I am certain,
> however, how many of these thought campaings have born significant fruit
yet,
> I
w UUNet does this for all customers.
On Wed, 1 May 2002, Wojtek Zlobicki wrote:
>
> > > What processes and/or tools are large networks using to
> > > identify and limit the impact of DDoS attacks?
> >
> > A great deal of thought is being expended on this question, I am
> Then you are pushing out /32's and peers would need to accept them. Then
> someone will want to blackhole /30's, /29's, etc. Route bloat. Yum!
I am in no way proposing discounting current filtering rules. There are
alway two
different intersts one must consider, one that of the customer an
In a message written on Wed, May 01, 2002 at 08:17:04PM -0500, dies wrote:
> Then you are pushing out /32's and peers would need to accept them. Then
> someone will want to blackhole /30's, /29's, etc. Route bloat. Yum!
I'm not sure what form this would take, but I have long wished
route proc
On Wed, May 01, 2002 at 09:38:52PM -0400, Wojtek Zlobicki wrote:
>
> How about the following :
>
> We develop a new community , being fully transitive (666 would be
> appropriate ) and either build into router code or create a route map to
> null route anything that contains this community. Th
On Wed, May 01, 2002 at 10:15:44PM -0400, Leo Bicknell wrote:
>
> In a message written on Wed, May 01, 2002 at 08:17:04PM -0500, dies wrote:
> > Then you are pushing out /32's and peers would need to accept them. Then
> > someone will want to blackhole /30's, /29's, etc. Route bloat. Yum!
>
On Wed, 1 May 2002, Richard A Steenbergen wrote:
> "DDoS attacks" is such a generic term. There are a wide
> variety of attacks which each need to be handled in
> their own way, the extra "D" is just one possible twist.
> Can you explain what kind of at
On Wed, 1 May 2002, Pete Kruckenberg wrote:
> We experience a lot of types of attacks ("education/research
> network" = "easy hacker target"). With DDoS incidents, it
> seems we are more often an unknowing/unwilling participant
> than the target, partly due to owning big chunks of IP
> address
y
> distinguished from each other - they are totally
> different things to deal with.
Sorry, I should have been more clear.
My issue (currently) is not being the target of the DDoS
attack, but being a (unwilling) participant. People outside
our network are launching DDoS attacks (distribu
##
## (W)703-886-3823 (C)703-338-7319 ##
###
On Wed, 1 May 2002, Pete Kruckenberg wrote:
>
> There's been plenty of discussion about DDoS attacks, and my
> IDS system is darn good at identifying them. B
On Thu, 2 May 2002, Avleen Vig wrote:
>
> On Wed, 1 May 2002, Pete Kruckenberg wrote:
>
> > A rather extensive survey of DDoS papers has not resulted in
> > much on this topic.
> >
> > What processes and/or tools are large networks using to
> > identi
On Wed, 1 May 2002 [EMAIL PROTECTED] wrote:
> True DDoS attacks, fortunately, are rarer than most people believe. If they
> were not, the Internet as we know it would look a lot more like a telephone
> system in USSR-at-it's-worst-days. For example, of the two recent DDoS
On Wed, 1 May 2002, Wojtek Zlobicki wrote:
>
> > > What processes and/or tools are large networks using to
> > > identify and limit the impact of DDoS attacks?
> >
> > A great deal of thought is being expended on this question, I am certain,
> > howev
re a UUNET customer and you
would like to do this please call the customer service center and they
will help you to configure this 'service'.
Thanks though Mr. 'dies' :)
>
> On Wed, 1 May 2002, Wojtek Zlobicki wrote:
>
> >
> > > > What processes an
On Wed, 1 May 2002, Wojtek Zlobicki wrote:
>
> Where are providers drawing the line ? Anyone have somewhat detailed
> published policies as to what a provider can do in order to protect their
> nework as a whole.
> At what point (strength of the attack) does a customers netblock (assuming a
> /
On Thu, May 02, 2002 at 04:28:44AM +, Christopher L. Morrow wrote:
>
> Let me say this one more time... "RATE LIMITS DON'T DO SHIT TO STOP
> ATTACKS" for the victim atleast, all they do is make the job of the
> attacker that much easier. For instance:
>
> 1) I synflood www.avleen.org
> 2)
On Wed, 1 May 2002, Richard A Steenbergen wrote:
>
> I give it 2 months, then they'll start hitting random dst IPs in a target
> prefix (say a common /24 going through the same path).
>
Damn you, don't give them any ideas :)
On Wed, May 01, 2002 at 08:56:16PM -0600, Pete Kruckenberg wrote:
>
> Sorry, I should have been more clear.
>
> My issue (currently) is not being the target of the DDoS
> attack, but being a (unwilling) participant. People outside
> our network are launching DDoS attack
On Thu, May 02, 2002 at 04:45:43AM +, Christopher L. Morrow wrote:
> On Wed, 1 May 2002, Wojtek Zlobicki wrote:
> >
> > Where are providers drawing the line ? Anyone have somewhat detailed
> > published policies as to what a provider can do in order to protect their
> > nework as a whole.
>
On Wed, 1 May 2002, Pete Kruckenberg wrote:
>
> On Wed, 1 May 2002, Richard A Steenbergen wrote:
>
> > "DDoS attacks" is such a generic term. There are a wide
> > variety of attacks which each need to be handled in
> > their own way, the extra "
attack, but being a (unwilling) participant. People outside
> our network are launching DDoS attacks (distributed SYN
> floods) against destinations outside our network, using
> about 8,000 Web server hosts on our network as reflectors.
Funny, you say 'secured' here...
>
> T
1 - 100 of 195 matches
Mail list logo