Under DDoS attack; what do I do now?
We appear to be under a distributed denial of service attack. We are receiving 7.5+ megabits per second of ICMP traffic (it looks like a smurf attack) from all over to a single address (one that was in our dialup pool). We've taken the IP out of our pool and are routing it to a separate interface with a computer just setup to capture traffic. It isn't causing an immediate problem, since we've routed the traffic away, but what do we do next? We've been contacted by a couple of the people sending the ICMP replies complaining about us pinging them and told them about fixing distributed broadcast and they've said they'll look into it. What do we do to track this down? We've got four upstreams and the traffic appears to be coming in all four; do we need to call all of them? Is there any kind of organization that can help coordinate this? Thanks for any help you can give. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Information Services I don't speak for anybody but myself - that's enough trouble.
On Wed, 30 Aug 2000, Chris Adams wrote:
We appear to be under a distributed denial of service attack. We are receiving 7.5+ megabits per second of ICMP traffic (it looks like a smurf attack) from all over to a single address (one that was in our dialup pool). We've taken the IP out of our pool and are routing it to a separate interface with a computer just setup to capture traffic.
It isn't causing an immediate problem, since we've routed the traffic away, but what do we do next? We've been contacted by a couple of the people sending the ICMP replies complaining about us pinging them and told them about fixing distributed broadcast and they've said they'll look into it.
Lovely. Generally people who pay close attention to things like that have already got their smurf filters enabled. At least they noticed it though.
What do we do to track this down? We've got four upstreams and the traffic appears to be coming in all four; do we need to call all of them? Is there any kind of organization that can help coordinate this?
Call CERT. 1.888.222.0700. Hopefully they'll not be too busy sitting on their hands to help. Also, call back the people being used as amplifiers and see if they can have their providers start tracing the path of the forged packets back to the originator.
Thanks for any help you can give.
__ Joseph W. Shaw - jshaw@insync.net
On Wed, 30 Aug 2000, Chris Adams wrote:
We appear to be under a distributed denial of service attack. We are receiving 7.5+ megabits per second of ICMP traffic (it looks like a smurf attack) from all over to a single address (one that was in our dialup pool). We've taken the IP out of our pool and are routing it to a separate interface with a computer just setup to capture traffic.
It's a good thing this isn't an IP address from your hosting pool that just happens to have 1000 websites associated with it, isn't it? Phone call to Huge customer A: "Um, ya... Your website, email, blah blah blah are ALL down because we had to route the IP address you share with 999 other clients to a capture device. It seems that space-sprocket-inc.com is under a DDoS attack. No, your sites are not under attack. You're just suffering as a result of the ARIN policy that frowns on assigning an IP address to each website and since our company name doesn't start with "ex" or "gl" we were not given an exception and can not obtain IP space." Phone call to upstream B NOC: "Ya. We know you're dieing. We would love to be able to reduce the impact of this attack but, since we don't have 4000+ individual machines, we didn't qualify for our own /20 from ARIN. We know the attack is so large that it has ground our network to a complete halt and is putting a serious damper on yours. We would love to be able to retract the /20 announcement and announce specific /24's for all but the one /24 that the target address is in but, you know ARIN. They're the reason you could only assign us a /25 and static route into us. Hey, btw: once this is over, we'll send you some neato pictures of our NAT boxes. They're glowing white hot right now!" --- John Fraizer EnterZone, Inc
participants (3)
-
Chris Adams
-
Joe Shaw
-
John Fraizer