On Wed, Jun 02, 2004 at 11:39:39AM -0600, Danny McPherson wrote:
On Jun 2, 2004, at 10:56 AM, Richard A Steenbergen wrote:
What people may being seeing is that poorly randomized source attacks are being automatically filtered by uRPF loose or other means before they ever reach the target. I keep track of my network border filter counters, and believe me spoofed attacks are not going out of style,
How do you discriminate *DDOS attacks employing source address spoofing* from broken NATs, rampant worms, PMTU and other related misconfiguration resulting in backscatter and similar garbage - with filter counters? Given, tactically deployed filters in order to mitigate a specific attack to a particular destination would likely glean some value WRT the validity of the source distribution for a given attack, but not generally deployed filters for any destination.
If it walks like a duck, and it sounds like a duck, it is probably a duck. RFC1918 sourced space, most likely from misconfigured NATs and such, account for only a very small amount of the bogon-source packets which go splat. Most of the DoS attempts by volume don't fall into the category of questionable. When you see a 100Mbps stream (from a single ingress interface, with consistant TTL's) of IP proto 0 or 255, or tcp port 0, or classic SYN flooders (SYN w/no MSS) or stream (randomized seq# and fixed ack# on a packet w/TH_ACK flag only) targetting a specific IP/port with a source address of iph.ip_src.s_addr = random(), it is pretty easy to tell those apart from the usual background noise of a worm.
especially from foreign and certain smaller networks.
I'd be extremely interested in any empirical evidence you have to support this, and in better understanding exactly how you determined "foreign and certain smaller networks" were indeed the source of many of these spoofed packets.
Some days it helps to actually have an operational network, instead of being a researcher. Even without interesting tools it isn't terribly hard to look at your PNI graphs, match up the hundreds-of-meg spikes with specific DoS incidents, and go from there. Not to point fingers at anyone in particular, but it seems to be the same foreign networks who tend to have little control over their spammers. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)