nanog mailing list archives

Re: Growing DoS attacks

From: Tom Sands <tsands () rackspace com>
Date: Wed, 16 Jan 2002 12:51:25 -0600


    We have anti-spoofing filters applied, however apparently a large number of
ISPs obviously still see them as unnecessary.  The attacks are a combination of
spoofed and real IP's.

    The trend there seems to be that if the attack is high PPS but low
bandwidth, the majority of those are spoofed.  Now a recent trend has been lower
PPS (increased size) and high bandwidth.  The ones that we have been able to
track successfully are coming from real sources, and have indeed been due to
things such as nimda.

    There have been several instances of people that were caught doing this
against us with approximately 1000 - 1500 servers under control via nimda, but
being able to notify the owners of all those servers is next to impossible.


--
Tom Sands
Chief Network Engineer
RackSpace Managed Hosting
tsands () rackspace com
(210)892-4000




Jared Mauch wrote:

        are you seeting these attacks be related to the lack of
anti spoofing filters?  where do they tend to be originating these
days?

        i suspect that 1) smurf amps that are still not fixed, 2)
high speed connectivity at homes (cable, .. some dsl still,) are allowing
people to send spoofed packets at higher rates.

        that combined and the number of windows based servers that
have been exploited (nimda, etc..) and those can be used also to send
spoofed packets at higher rates.

        - jared

On Wed, Jan 16, 2002 at 11:45:05AM -0600, Paul Froutan wrote:

Hello all,
Can some of you with larger networks let me know about the volume of the
DoS attacks you have experienced lately?  Our experience has been that the
volume (not just occurrence) is going up significantly and I'm curious on
the size of attacks that people are experiencing.  For reference, while a
year or two ago we used to get 50-100 meg attacks, now we're getting 500+
megs.
Thanks

_________________________________________
Paul Froutan, VP Engineering and Operations
Rackspace Managed Hosting
Email: pfroutan () rackspace com
----------------------------------------------------------------------


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.313 / Virus Database: 174 - Release Date: 1/2/2002


--
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

Current thread:

Growing DoS attacks Paul Froutan (Jan 16)
- Re: Growing DoS attacks Jared Mauch (Jan 16)
  - Re: Growing DoS attacks Tom Sands (Jan 16)
  - Re: Growing DoS attacks Clayton Fiske (Jan 16)
    - Re: Growing DoS attacks Michael Painter (Jan 16)
  - Re: Growing DoS attacks Avleen Vig (Jan 16)
- Re: Growing DoS attacks Barb Dijker (Jan 16)
  - Re: Growing DoS attacks Jared Mauch (Jan 16)
    - Re: Growing DoS attacks Vincent Gillet (Jan 17)
    - Message not available
    - Re: Growing DoS attacks Vincent Gillet (Jan 17)
    - Re: Growing DoS attacks Jared Mauch (Jan 17)
    - Re: Growing DoS attacks Joe Abley (Jan 17)
    - Re: Growing DoS attacks Vincent Gillet (Jan 17)

(Thread continues...)