when you have fat pipes (1gbit or 10gbit uplinks) people need fatpipes too to spooffrom and take you down...
but, IIRC, that well knonw .EU isp that allows spoofing let people do that only on the 100mbit network no on the gbit network. Therefore here comes the amplification (mostly DNS (udp 53) and chargen (UDP 19) ).... reporting those amplifiers (open resolvers) is very important;) Il 27/11/2012 14.29, Saint K. ha scritto: > That's kind of pointless in case of UDP attacks, chances are very high that > the IP's simply are spoofed. > > Saint K. > ________________________________________ > From: hlds_linux-boun...@list.valvesoftware.com > [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Marco Padovan > [e...@evcz.tk] > Sent: 27 November 2012 14:27 > To: hlds_linux@list.valvesoftware.com > Subject: Re: [hlds_linux] Incoming DoS attack > > ihih, nice :) > > the most important thing while being ddosed is to report to the relevant > abuse desks so they can clean up their networks ;) > > Il 27/11/2012 14.26, Michael Johansen ha scritto: >> I am indeed. Thank you for all your help :) >>> Date: Tue, 27 Nov 2012 14:25:24 +0100 >>> From: e...@evcz.tk >>> To: hlds_linux@list.valvesoftware.com >>> Subject: Re: [hlds_linux] Incoming DoS attack >>> >>> Hi, >>> >>> are you the Mike on WHT? >>> >>> I was the one replying in there :D >>> >>> Il 27/11/2012 13.54, Michael Johansen ha scritto: >>>> My face when, I just analyzed my own tcpdump and I had over ~150 Mbit/s >>>> traffic on UDP, where as my SYN stood for about 50k pps. >>>>> From: sai...@specialattack.net >>>>> To: hlds_linux@list.valvesoftware.com >>>>> Date: Tue, 27 Nov 2012 11:29:01 +0100 >>>>> Subject: Re: [hlds_linux] Incoming DoS attack >>>>> >>>>> We have no control over the upstream network. All I can do is filter the >>>>> packets at the machine, but that wouldn't prevent the link from still >>>>> being overloaded. >>>>> >>>>> Currently a null-route is in place to stop the attack at the network >>>>> boarder. >>>>> >>>>> Saint K. >>>>> ________________________________________ >>>>> From: hlds_linux-boun...@list.valvesoftware.com >>>>> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael Johansen >>>>> [michs...@live.no] >>>>> Sent: 27 November 2012 11:26 >>>>> To: hlds_linux@list.valvesoftware.com >>>>> Subject: Re: [hlds_linux] Incoming DoS attack >>>>> >>>>> Just took a look at the tcpdump, doesn't look like the attacks I'm >>>>> having. I may be stupid now, but wouldn't it work just by blocking >>>>> packets with the size of 50? >>>>> >>>>>> From: sai...@specialattack.net >>>>>> To: hlds_linux@list.valvesoftware.com >>>>>> Date: Tue, 27 Nov 2012 11:19:08 +0100 >>>>>> Subject: Re: [hlds_linux] Incoming DoS attack >>>>>> >>>>>> The IP's in the dump originate from China, but as it's UDP it could very >>>>>> well be spoofed. >>>>>> >>>>>> Looking at the payload in the packets, each new packet only has 1 >>>>>> character change from the previous packet. >>>>>> >>>>>> Bruteforce, or perhaps signature scanning evasion? >>>>>> >>>>>> Saint K. >>>>>> ________________________________________ >>>>>> From: hlds_linux-boun...@list.valvesoftware.com >>>>>> [hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Michael >>>>>> Johansen [michs...@live.no] >>>>>> Sent: 27 November 2012 11:15 >>>>>> To: hlds_linux@list.valvesoftware.com >>>>>> Subject: Re: [hlds_linux] Incoming DoS attack >>>>>> >>>>>> I haven't looked at the tcpdump, but I have been getting attacks too, >>>>>> they're SYN floods, 300 - 400 mbps in size and always coming from >>>>>> local/reserved (0.x) ip's. All started soem time after we set up our mvm >>>>>> serves. >>>>>>> From: sai...@specialattack.net >>>>>>> To: hlds_linux@list.valvesoftware.com >>>>>>> Date: Tue, 27 Nov 2012 10:56:28 +0100 >>>>>>> Subject: [hlds_linux] Incoming DoS attack >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> We've been having DoS attacks aimed at one of our MvM servers. >>>>>>> >>>>>>> Anyone have any idea what they're attempting to do here? It is just to >>>>>>> make the server unreachable, or are the actually trying to exploit >>>>>>> srcds somehow? >>>>>>> >>>>>>> Here's a tcpdump made for about 30 seconds during the attack (which is >>>>>>> still ongoing); >>>>>>> >>>>>>> http://www.specialattack.net/downloads/dump.rar >>>>>>> >>>>>>> Saint K. >>>>>>> _______________________________________________ >>>>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>>>> please visit: >>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >>>>>> _______________________________________________ >>>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>>> please visit: >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >>>>>> >>>>>> _______________________________________________ >>>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>>> please visit: >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >>>>> _______________________________________________ >>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>> please visit: >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >>>>> >>>>> _______________________________________________ >>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>> please visit: >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >>>> _______________________________________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
