On Jun 2, 2004, at 12:36 PM, Richard A Steenbergen wrote:
If it walks like a duck, and it sounds like a duck, it is probably a duck. RFC1918 sourced space, most likely from misconfigured NATs and such, account for only a very small amount of the bogon-source packets which go splat.
But worms, OTOH, seems to be much more persistent.
Most of the DoS attempts by volume don't fall into the category of questionable. When you see a 100Mbps stream (from a single ingress interface, with consistant TTL's) of IP proto 0 or 255, or tcp port 0, or classic SYN flooders (SYN w/no MSS) or stream (randomized seq# and fixed ack# on a packet w/TH_ACK flag only) targetting a specific IP/port with a source address of iph.ip_src.s_addr = random(), it is pretty easy to tell those apart from the usual background noise of a worm.
Sure..
Some days it helps to actually have an operational network, instead of being a researcher. Even without interesting tools it isn't terribly hard to look at your PNI graphs, match up the hundreds-of-meg spikes with specific DoS incidents, and go from there. Not to point fingers at anyone in particular, but it seems to be the same foreign networks who tend to have little control over their spammers.
Heh.. I certainly don't consider myself a researcher, or an operator (any longer) for that matter (though I do have access to a significant amount of both research and operational data and tend not to call a duck a goose simply because I heard a quack :-) -danny