Get in touch with these guys, ask about SLT Director: Radware, Inc. http://www.radware.com Jason Harrison, Regional Sales Manager - Northern California 721 Emerson Court San Jose, CA 95126 voice: 408.279.2310; fax: 408.279.2510

-----Original Message----- From: Pascal Gloor [mailto:pascal.gloor@spale.com] Sent: Wednesday, January 16, 2002 3:13 PM To: nanog@nanog.org Subject: Re: Growing DoS attacks

Since years, IRC (users and/or servers) gets dDoS... We also see a grow of the dDoS attacks. For example on Undernet some servers get attacked every day with 100+Mbps for a few minutes, and sometimes for long long hours... Those attacks are usually comming from users - IRC Operators conflicts, those users think they may ask anything to an OPER with the power of a dDoS. We try to provide a free service, and all of us know how it is hard to get a host with good connectivity for free and on the other side we see those young 'script kiddies' playing around with hundreds of compromised hosts like a game and they have no idea how much it costs to all the flooded networks... Unlikely I have to say that most of these 'script kiddies' are from Romania. I dont know why it's so many times comming from them....

If you run an well dDoS'ed IRC Server on your network I have a solution for you... not the best one, but still technically working..

get a /24 (be carefull that there is no bigger network announced which would include it!!! i mean like if you get 10.10.10/24, 10/8 would include it)

Get a box, and run Zebra BGPD, which will announce that /24 to your network. Then do a script which monitors the traffic to the irc server, and on a certain threshold, kill BGPD. wait a certain time, like 15minutes or so, and restart BGPD. It would be nice to check the traffic every minute and if 2 consecutive checks are positive kill bgpd. That mean that you may be able to STOP dDoS to irc servers within 2-3 minutes...

just my 0.00001 EUR

Cheers.. Pascal