nanog mailing list archives
Re: Access Lists
From: Dan Boehlke <dboehlke () mr net>
Date: Thu, 26 Mar 1998 02:23:41 -0600 (CST)
By looking at netflow stats or ip accounting I can usually find the host being attacked by sorting the list by destination. The source will point to hosts on a net being used as a smurf packet replicator, giving a hint who might need to be contacted to shut off directed broadcasts. Netflow stats even show it as being ICMP ECHO traffic if you look at the numeric codes in the flow export. Once you know who is being attacked, you can call your upstream providers or peers and have it traced, but if you want the traffic stopped and the attack is flooding your pipe, about all you can do it stop the traffic from getting to you, so if you are BGP peering with your neighbors, withdraw the network annoucement for the victim and the rest of your customers can continue to get their trafic. This doesn't help trace in, although give how older cisco IOS code reacts to tossing out unroutable packets, the intermediate hosts may find they have a problem when their router CPU use hits 100%. I too would rather have a good quick way to nail the people initiating this sort of attack. However I have also found that my customers who are victims are seldom random and are usually doing something to attract the attack, like running IRC bots or running a sendmail capable of being a SPAM relay. However I don't approve of vigilantism. This stuff can be taken care of in other ways. On Thu, 26 Mar 1998, Phil Howard wrote:
You could just withdraw your BGP announcement for the net being attacked and suddenly the attack packets will die at the first router without a default route on their way to the victim....along with everything else. Do you have some way of determining which router that is? -- Phil Howard | stop6729 () s5p0a6m6 org w2x8y9z0 () lame1ads net eat15me7 () no6place net phil | no12ads7 () nowhere0 com die6spam () nowhere3 edu no70ads3 () dumb1ads com at | eat06me3 () no20ads1 edu crash719 () no6where com stop4909 () anywhere net milepost | no12ads2 () anywhere org stop2ads () spam7mer net no0spam0 () no0where edu dot | blow0me5 () spam5mer org end6ads8 () lame4ads org no3way57 () no4where org com | stop7211 () no8where net suck8it5 () dumbads3 net eat69me1 () no16ads1 edu
-- Dan Boehlke, Senior Network Engineer M R N e t Internet: dboehlke () mr net A MEANS Telcom Company Phone: 612-362-5814 2829 SE University Ave. Suite 200 WWW: http://www.mr.net/~dboehlke/ Minneapolis, MN 55414
Current thread:
- Access Lists Martin, Christian (Mar 25)
- Re: Access Lists Dan Boehlke (Mar 25)
- Re: Access Lists Phil Howard (Mar 25)
- Re: Access Lists Dan Boehlke (Mar 26)
- Re: Access Lists Phil Howard (Mar 26)
- Re: Access Lists Phil Howard (Mar 25)
- Re: Access Lists Dan Boehlke (Mar 25)
- <Possible follow-ups>
- RE: Access Lists Martin, Christian (Mar 25)
- Re: Access Lists Steve Sobol (Mar 26)
- RE: Access Lists Martin, Christian (Mar 25)
- RE: Access Lists Rich Sena (Mar 26)
- Re: Access Lists Steve Sobol (Mar 26)
- RE: Access Lists Martin, Christian (Mar 26)
- Re: Access Lists John Navitsky (Mar 27)