[Fwd: Re: DNS DDoS [was: register.com down sev0?]]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We ran into similar attacks (couple days back) coming from non-spoofed address range (being initiated from valid prefixes). In working (w/ a co-worker of mine) on a network attack situation (trace process) for a 30,000 user location (serving 60 other school districts) running BCP38 & rate-limit which got ddos'd w/ about 8mpps. It appears that these attacks were coming from the inside which not only saturated devices along its way but also got amplified into several other networks also causing significant flaps to its peered connection (OC-xx). Besides being distracted with this incredible among of traffic flow our goal number one goal was to prevent this bleeding, thanks to the distributed monitoring sensors (maybe we got lucky) we were able to identify and sink-hole (null route) certain blocks (vlans) while we worked with the network/desktop team to isolate the infected machines. This was certainly a hair-pulling experience. The point that I'm trying to make here is, you can have data coming from a herd of comprised hosts (bots, self-propagating worms, spam-relays,fake http get request, backdoors, etc) that can attack against a well-protected system(s) so any kind of defense mechanism can/will get defeated. Then again, it doesn't mean one wouldn't want to follow well practiced prevention methods. Just curious, any ddos vendors want to share their success stories :-) regards, /virendra - -------- Original Message -------- Subject: Re: DNS DDoS [was: register.com down sev0?] Date: Thu, 26 Oct 2006 17:32:56 +0000 From: jerry@jdixon.com Reply-To: jerry@jdixon.com To: Robert Boyle <robert@tellurian.com>, owner-nanog@merit.edu, Patrick W. Gilmore <patrick@ianai.net>, Nanog <nanog@merit.edu> References: <Pine.LNX.4.44.0610260102100.3923-100000@bawx.pilosoft.com><EFCE96D7-101C-466E-8FCB-AB150E894A98@ianai.net> <7.0.1.0.2.20061026120223.13fa2598@tellurian.com> The network hardware vendors do need to include the feature to support BCP-38. It'll help us out on a number of fronts especially with some of the recent cyber attacks. We're in process of reaching out to many of the companies and many providers to encourage the implementation of BCP-38. We've gotten a lot of great feedback from many of you and its greatly appreciated. You know who you are :) Especially some of the feedback related to the hardware OS issues. - -Jerry Jerry@jdixon.com or jerry.dixon@us-cert.gov Sent via BlackBerry from Cingular Wireless - -----Original Message----- From: Robert Boyle <robert@tellurian.com> Date: Thu, 26 Oct 2006 12:04:03 To:"Patrick W. Gilmore" <patrick@ianai.net>, nanog@merit.edu Subject: Re: DNS DDoS [was: register.com down sev0?] At 11:21 AM 10/26/2006, you wrote: Unfortunately, as Jared has pointed out, the equipment vendors have
to help the operators support this. So let's all call your favorite router vendor and ask them when they will have the "ip bcp38" config option. :)
Even better would be the option: "no ip bcp38" Make it so a conscious action is needed to disable it, but PLEASE put that in the release notes so when the config doesn't "change" we know that something really did change... :) R Tellurian Networks - Global Hosting Solutions Since 1995 http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFQS8zpbZvCIJx1bcRAn93AKCSF2JcGTbB/bX/NcxxWdOwBXRDagCbBkY4 OBRqFdIvWojOwTK+K6Mlp2U= =LumS -----END PGP SIGNATURE-----
On Thu, 26 Oct 2006, virendra rode // wrote:
Just curious, any ddos vendors want to share their success stories :-)
If you access Cisco as a customer: http://www.cisco.com/en/US/customer/products/ps5887/products_case_study0900a... "Rackspace Managed Hosting" - Customer Success Story -Hank Nussbacher http://www.interall.co.il
participants (2)
-
Hank Nussbacher
-
virendra rode //