[AusNOG] DDoS Attacks - Painful and Persistent.
Craig Meyers
Craig.Meyers at citec.com.au
Mon Aug 10 17:51:29 EST 2009
The 8k packets didn't make it unscathed - all the packets were segmented
to 1500 max. Hence why there weren't port details on all lines.
That's the university I was thinking of.
And my statement:
> Generally these are more hardened against being used as
> botnets vs domestic ISPs.
Oops, meant to say 'domestic clients of ISPs' i.e. home PCs etc..., my
apologies to the list :)
-- Craig Meyers
-----Original Message-----
From: ausnog-bounces at lists.ausnog.net
[mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Roland Dobbins
Sent: Monday, 10 August 2009 5:40 PM
To: ausnog at ausnog.net
Subject: Re: [AusNOG] DDoS Attacks - Painful and Persistent.
On Aug 10, 2009, at 2:15 PM, Craig Meyers wrote:
> Legitimate traffic with this profile that comes to mind is NFS.
Could be, but I'm surprised at 8K packets making it very far across
multiple carriers.
> I've done a whois on some of the source IPs, and I get hosting
> companies
> (not ISPs). Generally these are more hardened against being used as
> botnets vs domestic ISPs.
In my experience, it's hit or miss. Some implement the BCPs, most
don't.
It's also possible the packets are spoofed - multi-provider traceback
plus packet payload would help determine whether or not this is the
case.
> With 100,000+ devices in circulation, this caused a massive DDOS on
> their infrastructure. Forgive me, I can't recall university name.
<http://pages.cs.wisc.edu/~plonka/netgear-sntp/>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Unfortunately, inefficiency scales really well.
-- Kevin Lawton
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
________________________________________________________________________
This email has been scanned for viruses by the CITEC Email Anti-Virus
service powered by IronPort(r)
More information about the AusNOG
mailing list