nanog mailing list archives

Re: distributed attack, high or not

From: "Steven M. Bellovin" <smb () research att com>
Date: Wed, 30 Jan 2002 22:14:18 -0500


In message <20020131025142.A12260 () monet titania net>, "Joseph T. Klein" writes:


I define it as random because the traffic rise could be seen
coming in from multiple providers and looked to be the same
percent from all sources (separate routers with separate
interfaces to separate ASNs in separate geographic locations).
The traffic was inbound and not backsplash from randomized
source addresses.

It looks to me like a infection with someone turning a control
knob. Is this common or a precusor of a bad thing?

It's a classic DDoS attack, aimed at you.  Someone has lots of zombie 
machines out there; at some point, they sent a command packet to all of 
them, saying "bombard such-and-such an IP address for 3600 seconds".

Common?  It happens frequently to someone.  Precursor?  Entirely 
possible, though there's no way to know for sure.  But it can be very 
bad -- see http://news.zdnet.co.uk/story/0,,t269-s2103098,00.html
for what happened to a British ISP.

                --Steve Bellovin, http://www.research.att.com/~smb
                Full text of "Firewalls" book now at http://www.wilyhacker.com

Current thread:

distributed attack, high or not Joseph T. Klein (Jan 30)
- Re: distributed attack, high or not Avleen Vig (Jan 30)
- Re: distributed attack, high or not Majdi S. Abbas (Jan 30)
- Re: distributed attack, high or not Tom Sands (Jan 31)
- <Possible follow-ups>
- RE: distributed attack, high or not LeBlanc, Jason (Jan 30)
- Re: distributed attack, high or not Joseph T. Klein (Jan 30)
- Re: distributed attack, high or not Steven M. Bellovin (Jan 30)
  - WEF cyber-protest (was Re: distributed attack, high or not) Sean Donelan (Jan 30)
    - RE: WEF cyber-protest (was Re: distributed attack, high or not) Daniel Golding (Jan 31)
    - RE: WEF cyber-protest (was Re: distributed attack, high or not) batz (Jan 31)