nanog mailing list archives
Re: distributed attack, high or not
From: "Steven M. Bellovin" <smb () research att com>
Date: Wed, 30 Jan 2002 22:14:18 -0500
In message <20020131025142.A12260 () monet titania net>, "Joseph T. Klein" writes:
I define it as random because the traffic rise could be seen coming in from multiple providers and looked to be the same percent from all sources (separate routers with separate interfaces to separate ASNs in separate geographic locations). The traffic was inbound and not backsplash from randomized source addresses. It looks to me like a infection with someone turning a control knob. Is this common or a precusor of a bad thing?
It's a classic DDoS attack, aimed at you. Someone has lots of zombie machines out there; at some point, they sent a command packet to all of them, saying "bombard such-and-such an IP address for 3600 seconds". Common? It happens frequently to someone. Precursor? Entirely possible, though there's no way to know for sure. But it can be very bad -- see http://news.zdnet.co.uk/story/0,,t269-s2103098,00.html for what happened to a British ISP. --Steve Bellovin, http://www.research.att.com/~smb Full text of "Firewalls" book now at http://www.wilyhacker.com
Current thread:
- distributed attack, high or not Joseph T. Klein (Jan 30)
- Re: distributed attack, high or not Avleen Vig (Jan 30)
- Re: distributed attack, high or not Majdi S. Abbas (Jan 30)
- Re: distributed attack, high or not Tom Sands (Jan 31)
- <Possible follow-ups>
- RE: distributed attack, high or not LeBlanc, Jason (Jan 30)
- Re: distributed attack, high or not Joseph T. Klein (Jan 30)
- Re: distributed attack, high or not Steven M. Bellovin (Jan 30)
- WEF cyber-protest (was Re: distributed attack, high or not) Sean Donelan (Jan 30)
- RE: WEF cyber-protest (was Re: distributed attack, high or not) Daniel Golding (Jan 31)
- RE: WEF cyber-protest (was Re: distributed attack, high or not) batz (Jan 31)
- WEF cyber-protest (was Re: distributed attack, high or not) Sean Donelan (Jan 30)