Ah, Honestly we can usually point to the exact cause of the attacks once we have time to triage the situation. Recently it has been stuff like: -Made someone in Asia angry. -Running a runescape server and made someone angry -Made someone on IRC angry It has been pretty rare to see an attack that wasn't just the end result of a pissing contest. and like I said most of the ones I have seen recently are either UDP 80 floods which is probably the result of one of the UDP.PL variants or fragments (UDP DST 0) attacks which kind of indicates at least in part that the 'attacker' simply downloaded the first thing they could find that said 'DDoS' on it and didn't spend too much time worrying about it. This is probably mainly because of how easy it is now to acquire dedicated servers (that arent properly monitored) and have 1Gbps (and now) 10Gbps connections to the Internet. How many organizations are using 10G connections to the Internet these days? -Drew -----Original Message----- From: Matthew Petach [mailto:mpetach@netflight.com] Sent: Wednesday, December 08, 2010 1:35 PM To: jay@prolexic.com Cc: nanog@nanog.org Subject: Re: Over a decade of DDOS--any progress yet? On Wed, Dec 8, 2010 at 8:47 AM, Jay Coley <jay@prolexic.com> wrote:
On 08/12/2010 16:14, Drew Weaver wrote:
I would say that > 99% of the attacks that we see are 'link fillers' with < 1% being an application attack.
thanks, -Drew
This has been our recent experience as well. There are some pure app attacks, to be sure, but we many blended attacks also. Bandwidth (UDP/ICMP/SYN Flood) attack to distract with a app attack (GET/PUSH floods) attempting to run underneath the radar. We regularly see SYN floods these days > 20 Gb/s.
Another thing to be aware of--when you get hit with what seems to be a "simple" flooding attack aimed at one point of your infrastructure... start checking your logs at _other_ places in your network very, VERY carefully. There seems to be a trend of using larger-scale flooding, or other simple types of attacks to get all the network people at an organization rushing over to throw resources and energy at it...while the real target of the attack is something completely different, on a different subnet, in a different part of the company; and that attack is small, carefully focused at its target, and is designed to be relatively quiet. The "big" attack is used simply to ensure all the human energy is focused on the wrong place, increasing the chance that what otherwise might caused raised eyebrows and double-checking of logs/IDS alerts, etc. gets missed while everyone is focusing on the"big" attack.
The thing to bear in mind is that app attacks *are* difficult to detect as they are low bandwidth and make a full TCP connection. As a result many IDS/Firewalls etc regularly miss these attacks.
Lastly there is usually always someone at the other end of these attacks watching what is working and what is not. If the attack doesn't work they will simply round up more bots to increase the attack bandwidth or change the attack vector.
And, in what seems to be an increasing trend, what they are watching for is *not* necessarily the result of the large botnet attack; they're checking on the results of their targeted probes elsewhere in the network, or on the outbound set of connections from a compromised machine within an organization; after all, during a huge DDoS attack, with everyone focusing on a set of uplinks being flooded with _inbound_ traffic, who is going to notice the (relatively smaller) outbound spike of traffic as the compromised machine sends out a copy of your internal intellectual property to the miscreant recipients? Matt (speaking purely hypothetically, of course, and definitely not on behalf of any institution or entity other than myself)