Upsurge in attacks?
Has anyone else noticed an upsurge in unsophisticated [packet flood, etc] attacks since college kids have to their own devices in dorms again this year? Deepak Jain AiNET
I've just noticed the normal upsurge in traffic from the returning students. Universities complaining they don't have enough b/w when they are trying to force 8MB worth of traffic down a couple of t-1's. No major attacks that I have seen on my network so far. But then again, this is only the first day of classes for students in my state (MN) - let's see what the rest of the week brings when all the students get their computers on the LAN's. Im just waiting for all the kids to find the latest and greatest bandwith-chewing-le's-get-my-warez-pr0n-server tools. -Eric
Has anyone else noticed an upsurge in unsophisticated [packet flood, etc] attacks since college kids have to their own devices in dorms again this year?
That should read ... ...college kids have been left to their own devices... Cell phones and email don't mix. Deepak Jain AiNET -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Deepak Jain Sent: Tuesday, September 04, 2001 5:55 PM To: Nanog@Merit. Edu Subject: Upsurge in attacks? Has anyone else noticed an upsurge in unsophisticated [packet flood, etc] attacks since college kids have to their own devices in dorms again this year? Deepak Jain AiNET
Has anyone else noticed an upsurge in unsophisticated [packet flood, etc] attacks since college kids have to their own devices in dorms again this year?
The IP-Spoofing scan floods have been unreal..from my own customers. ntop helps detect them.. but it's tough when the are behind NAT firewalls. (see: www.ntop.org)
On Tue, 4 Sep 2001, mike harrison wrote:
Has anyone else noticed an upsurge in unsophisticated [packet flood, etc] attacks since college kids have to their own devices in dorms again this year?
The IP-Spoofing scan floods have been unreal..from my own customers.
have you considered RFC 2827? - Paul
I wanted to reroute forged traffic through an RFC2549 network. Budget considerations kept us from training a sufficient number of "network" handlers, though. DJ -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Paul Walmsley Sent: Tuesday, September 04, 2001 7:19 PM To: mike harrison Cc: Nanog@Merit. Edu Subject: Re: Upsurge in attacks? On Tue, 4 Sep 2001, mike harrison wrote:
Has anyone else noticed an upsurge in unsophisticated [packet flood,
etc]
attacks since college kids have to their own devices in dorms again this year?
The IP-Spoofing scan floods have been unreal..from my own customers.
have you considered RFC 2827? - Paul
Oh yea. I've noticed a certain "Regional" get absolutely shreaded several times in the past week or so. Supposedly something along the lines of 400Kpps on each border all destined for some unnamed, allegedly now terminated customer of theirs. --- John Fraizer EnterZone, Inc On Tue, 4 Sep 2001, Deepak Jain wrote:
Has anyone else noticed an upsurge in unsophisticated [packet flood, etc] attacks since college kids have to their own devices in dorms again this year?
Deepak Jain AiNET
On Tue, Sep 04, 2001 at 05:54:50PM -0400, Deepak Jain wrote:
Has anyone else noticed an upsurge in unsophisticated [packet flood, etc] attacks since college kids have to their own devices in dorms again this year?
I can't speak to the sophistication, but our DoS count has had a strong upswing. Much to my dismay while on call. Next law for Colorado to pass: "Make My Network". If they're on your net, and presenting a threat, you can shoot them in self-defense? -- *************************************************************************** Joel Baker System Administrator - lightbearer.com lucifer@lightbearer.com http://www.lightbearer.com/~lucifer
On Tue, 4 Sep 2001, Joel Baker wrote:
Next law for Colorado to pass: "Make My Network". If they're on your net, and presenting a threat, you can shoot them in self-defense? -- *************************************************************************** Joel Baker System Administrator - lightbearer.com
What? You mean it's not legal now? Wow. I'm in BIG trouble! <g> --- John Fraizer EnterZone, Inc
On Tue, Sep 04, 2001 at 08:40:15PM -0400, John Fraizer wrote:
On Tue, 4 Sep 2001, Joel Baker wrote:
Next law for Colorado to pass: "Make My Network". If they're on your net, and presenting a threat, you can shoot them in self-defense?
What? You mean it's not legal now? Wow. I'm in BIG trouble! <g>
It may be, where you are. Check local listings for details. :) (Having flashbacks to the "Guns in the NOC" and "Target range at Oakland NANOG" threads...) -- *************************************************************************** Joel Baker System Administrator - lightbearer.com lucifer@lightbearer.com http://www.lightbearer.com/~lucifer
Deepak Jain wrote:
Has anyone else noticed an upsurge in unsophisticated [packet flood, etc] attacks since college kids have to their own devices in dorms again this year?
Well... depends on the kind fo attack. I'm actually seeing fewer large packet ICMP attacks than I was a couple of months ago. I'm guessing this is because more zombied machine have been cleared out. There are the normal number of scans that one might expect (bored freshmen with ethernet connectiosn to the fatest network they've ever seen, what would you do?) but, suprisingly enough the number of naive DoS attacks seems to be on the decline around me. I need to look at the security logs a little closer but I think I'm correct. I wrote our security stuff but I've not looked at it in almost a month now. Note: We only really start to give a damn when attacks start to suck up more than 20Mbps on its own. Anything less than that is either not worth the hassle or gets lost in the noise. Our position as a GigaPOP eliminates a few potential areas of concern.
On Tue, 4 Sep 2001, Chris Rapier wrote:
Note: We only really start to give a damn when attacks start to suck up more than 20Mbps on its own. Anything less than that is either not worth the hassle or gets lost in the noise. Our position as a GigaPOP eliminates a few potential areas of concern.
That's nice to know. So, If we see <20Mb/s attack from psc.edu, to get your attention and make sure you give a damn about the initial problem, we should counter-attack with 50-60Mb/s or so? Is that the official stance of psc.edu? --- John Fraizer EnterZone, Inc
On Tue, 4 Sep 2001, Chris Rapier wrote:
Note: We only really start to give a damn when attacks start to suck up more than 20Mbps on its own. Anything less than that is either not worth the hassle or gets lost in the noise. Our position as a GigaPOP eliminates a few potential areas of concern.
That's nice to know. So, If we see <20Mb/s attack from psc.edu, to get your attention and make sure you give a damn about the initial problem, we should counter-attack with 50-60Mb/s or so? Is that the official stance of psc.edu?
I hope he was talking about attacks on him (inbound to him) rather than attacks originating on his network. However, if you ignore a 20Mbps attack, you may wind up launching your own 20Mbps attack unwittingly. For example, if someone sends you spoofed TCP SYN packets, you may respond with an equal number of ICMP unreachable packets, flooding an innocent victim. So you generally cannot ignore 'small' floods, even if they're not harming you. At least, that is, if you care about who you hurt. DS
Well... depends on the kind fo attack. I'm actually seeing fewer large packet ICMP attacks than I was a couple of months ago. I'm guessing this is because more zombied machine have been cleared out. There are the normal number of scans that one might expect (bored freshmen with ethernet connectiosn to the fatest network they've ever seen, what would you do?) but, suprisingly enough the number of naive DoS attacks seems to be on the decline around me. I need to look at the security logs a little closer but I think I'm correct. I wrote our security stuff but I've not looked at it in almost a month now.
Can you clarify that last bit some? You've not looked at the code? Filters? As far as freshhmen with 'phat pipe', in this day and age, I expect a little restraint and common sense, but we _are_, generally speaking, talking about American college students. Neither of which seem to be in great supply. t
participants (9)
-
Chris Rapier
-
David Schwartz
-
Deepak Jain
-
Eric Whitehill
-
Joel Baker
-
John Fraizer
-
mike harrison
-
Paul Walmsley
-
Todd Suiter