I had a DDoS this morning (~ 130Mb) against one of my hosts. Packets were coming in all 3 of my transit links from a handful of source IP addresses that sort of make sense in terms of the path they would take to get to me. They were all large UDP packets of the form 09:08:58.981781 xx:xx:xx:xx:xx:xx yy:yy:yy:yy:yy:yy 0800 1514: 82.165.244.204 > ta.rg.et.IP: udp (frag 47080:1480@1480+) (ttl 54, len 1 500) 0x0010 yyyy yyyy 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBB 0x0020 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB 0x0030 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB 0x0040 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB 0x0050 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB 0x0060 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB The TTLs all kind of make sense and are consistent (e.g. if the host is 8 hops away, the TTL of the packet when it got to me was 56). Yes, I know those could be adjusted in theory to mask multiple sources, but in practice has anyone seen that ? I seem to recall reading the majority of DDoS attacks do not come from spoofed source IP addresses. Of the traffic snapshot I took, the break down seems to jive as well with the PTR records. i.e. PTR records that indicate a home broadband connection were less than PTR records suggesting a server in a datacentre somewhere. A few of the IPs involved capturing 1000 packets on one of my links at the time. 210 207.58.177.151 - server.creditprofits.com 287 65.39.230.20 - server4.xlservers.com 11 67.52.82.118 - rrcs-67-52-82-118.west.biz.rr.com 492 82.165.244.204 - u15178515.onlinehome-server.com It was pretty short lived as well -- about 8 min total. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike