On Thu, 31 Jan 2013 10:34:29 +0330 Shahab Vahabzadeh <sh.vahabzadeh@gmail.com> wrote:
Attacks takes only 20 or 30 minutes and it happens only 4 times in two days. I could'nt capture any packet but this is out put of my "show ip accounting" that time:
Attacks on gaming systems or at the gamers themselves are unfortunately quite common. Many of the DNS 'IN ANY' amplification and reflection attacks for instance appear to involve online games. We've also seen some similar reflection attacks involving CoD systems as someone else alluded in a link post. Dissimilar in attack profile, but similar in target were the frequent, but brief Xbox packet floods that attempted to disrupt a gamer's session. It can be extremely difficult to assign attribution for any particular attack without a great deal of effort on your part, often in being prepared with lots of data collection in advance, plus the selfless cooperation of other network operators. The latter is often the biggest challenge given that you're often relying on the good will and limited available time of 3rd parties to work on it. While many of the most recent attacks are performing address spoofing, collecting raw packet detail and knowing where it enters your network can offer at least the start of where to look for it. You can at least start with your peer or upstream. Examine IP TTLs to gauge at least how far back those packets are coming from. If your network is diverse enough from a global routing perspective, you may be able to triangulate it better. I'd be particularly interested in working with folks in tracking down the DNS 'IN ANY' style attacks to the attack code or source attacks. Please shoot me an email off list or see me at NANOG 57 to discuss. John