That's why MPLS is such a Good Thing - attacks which would cripple 72xx-series & 75xx-series routers can actually be handled without flinching, as the CPU overhead is reduced tremendously by making use of the switch's muscle and efficiency. One of my customers was getting DoSed all the time; his router (7206, NPE-150) was seeing 75%-100% CPU utilization during these times (average was 50%). We took that 7206 and used it as the MLS-RP for a Catalyst 5509 he had lying around (Sup-III, NFFC II), and now he just hums along when they try and zorch his router. An attack which would max him out at 100% before now drives his CPU to perhaps 25%. His -average- CPU load went down from the aforementioned 50% to 5%, all without changing the router in any way other than turning it into the layer-3 engine for the switch. A pretty decent solution, for having been put together from existing equipment. ----------------------------------------------------------- Roland Dobbins <rdobbins@netmore.net> // 818.535.5024 voice -----Original Message----- From: Basil Kruglov [mailto:basil@cifnet.com] Sent: Saturday, October 21, 2000 4:05 PM To: nanog@nanog.org Subject: Re: DOS Attacks and reliable network contact data. On Sat, Oct 21, 2000 at 05:14:53PM -0400, Jason Slagle wrote:

21259901:21259901(0) ack 1412091198 win 2144 <mss 536> 22:30:52.822459 255.255.255.255.80 > 205.133.127.30.6667: R 0:0(0) ack 2473479669 win 0 22:30:52.822711 210.251.128.255.80 > 205.133.127.30.6667: R 0:0(0) ack 529389642 win 0 22:30:52.822962 195.53.123.0.80 > 205.133.127.30.6667: . ack 1625272127 win 9112 (DF) 22:30:52.823213 152.158.37.127.80 > 205.133.127.30.6667: R 0:0(0) ack 1362286194 win 0

We do get this sort of crap daily at least 5 times a day, distributed tcp/ack, tcp/syn, etc, over 40-50Kpps+ sometimes.. my list of over ~230 slave networks (in /24 format). Kids are after taking CPUs in routers out and not killing you with hundrends and hundreeds of Mbps, high-pps attacks are also very nasty, and of course everything is over some stupid IRC issue.

Their exists no reliable way to get the contact of a network without first querying arin, then apnic, then the .jp registry for instance. This is a royal PITA and is in no way scriptable that I can see.

What is neat is all those 'slaves' are spoofing inside their own /24 or whatever allocation they sit in, and it's very hard to persuade somebody to look into this as they claim those ip addresses are not in use or have only routers/switches and there is no way those devices could've generated a [d]DoS attack. -- Basil Kruglov [BK252-ARIN] Network Engineering and Security CIFNet, Inc.