We have anti-spoofing filters applied, however apparently a large number of ISPs obviously still see them as unnecessary. The attacks are a combination of spoofed and real IP's. The trend there seems to be that if the attack is high PPS but low bandwidth, the majority of those are spoofed. Now a recent trend has been lower PPS (increased size) and high bandwidth. The ones that we have been able to track successfully are coming from real sources, and have indeed been due to things such as nimda. There have been several instances of people that were caught doing this against us with approximately 1000 - 1500 servers under control via nimda, but being able to notify the owners of all those servers is next to impossible. -- Tom Sands Chief Network Engineer RackSpace Managed Hosting tsands@rackspace.com (210)892-4000 Jared Mauch wrote:
are you seeting these attacks be related to the lack of anti spoofing filters? where do they tend to be originating these days?
i suspect that 1) smurf amps that are still not fixed, 2) high speed connectivity at homes (cable, .. some dsl still,) are allowing people to send spoofed packets at higher rates.
that combined and the number of windows based servers that have been exploited (nimda, etc..) and those can be used also to send spoofed packets at higher rates.
- jared
On Wed, Jan 16, 2002 at 11:45:05AM -0600, Paul Froutan wrote:
Hello all, Can some of you with larger networks let me know about the volume of the DoS attacks you have experienced lately? Our experience has been that the volume (not just occurrence) is going up significantly and I'm curious on the size of attacks that people are experiencing. For reference, while a year or two ago we used to get 50-100 meg attacks, now we're getting 500+ megs. Thanks
_________________________________________ Paul Froutan, VP Engineering and Operations Rackspace Managed Hosting Email: pfroutan@rackspace.com ----------------------------------------------------------------------
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.313 / Virus Database: 174 - Release Date: 1/2/2002
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.