RE: DDoS attack.

From: Boyan Krosnov (bkrosnov@lirex.bg)
Date: 01/25/02 

Date: Fri, 25 Jan 2002 23:15:01 +0200
From: "Boyan Krosnov" <bkrosnov@lirex.bg>
To: "Glenn Forbes Fleming Larratt" <glratt@rice.edu>, "Daniel F. Chief Security Engineer -" <danielf@supportteam.net>

> -----Original Message-----
> From: Glenn Forbes Fleming Larratt [mailto:glratt@rice.edu]
> Sent: Friday, January 25, 2002 9:05 PM
> To: Daniel F. Chief Security Engineer -
> Cc: incidents@securityfocus.com
> Subject: Re: DDoS attack.
>
>
> A "tcpdump -ner" will show you the MAC address or addresses
> your tcpdump
> host sees for this traffic. That address or addresses will
> either belong
> to the source host, or a core router through which it came.
>
> If it's a router, you'll need to trace back to which network on the
> other side of it, and iterate as necessary. A portable tcpdump host
> would come in handy to do so.
Other handy tools are the switched port analiser (SPAN) feature(cisco)
or port/vlan mirroring (other vendors) of managable switches. If these
are not avalable $20 ethernet hubs help a lot :)
Also any graphical statistics like mrtg on routers or managable switches
ports do help in tracing a DoS of more than 1500 packets/second.
About the tcpdump, if the attack comes and goes it helps to write the
first say 100 bytes of each packet to a file, so that you can review
what has traversed the path you are monitoring later. like tcpdump -w
<filename> -s 100 <expr>. And it is not a big problem with today's cheap
hard disks.

> If it's a Cisco router, you might look into deploying the
> per-interface
> command "ip verify unicast reverse-path" (I think - I may
> have misremembered
> the syntax), which automatically prevents spoofing beyond the scope of
> the LAN segment. Check this command out at www.cisco.com .
the sintax is correct,
the command requires cef to be running on the interface on which you
enable it, which may not be possible with some old routers and software.
It limits the scope of spoofing to some degree, but I've seen bad people
come around it by changing the source address only inside the range of
the permitted hosts.

Regards,
Boyan

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: DDoS attack.
    ... A "tcpdump -ner" will show you the MAC address or addresses your tcpdump ... to the source host, or a core router through which it came. ... you'll need to trace back to which network on the ... > It got all the signs of a dDoS attack window size is always the same dst ...
    (Incidents)
  • Re: DDoS attack.
    ... > to the source host, or a core router through which it came. ... Its coming from my network ... >> It got all the signs of a dDoS attack window size is always the same dst ...
    (Incidents)
  • Re: Exiscan+clamav
    ... > # The next three settings create two lists of domains and one list of hosts. ... > # The second setting specifies domains for which your host is an incoming ... > # This router routes addresses that are not in local domains by doing a DNS ...
    (freebsd-questions)
  • Re: Networking Questions
    ... The DNS address is sent as a secondary element, mostly because there's no point for nearly all internet connections without DNS. ... The PC asks for an address by sending a DHCP request out the route to the DSL device which is either a modem or a router. ... No need for DNS until host names get involved and those hosts are on a different network segment. ...
    (comp.sys.ibm.as400.misc)
  • 2wire router configuration
    ... firewall on this router and to configure my network ... Go to Home Network -> Advanced Settings ... X Default DHCP Pool ... Configure host to use DHCP with host name sent ...
    (comp.unix.bsd.freebsd.misc)