I would have thought that the DDoS that you've described is relatively easy to block, so more sophisticated ones will spray an entire subnet, with the source coming from random IP addresses, and with random src/dst ports. Unless things have changed in the last couple of years, there isn't much that can be done about that.
You could try looking for source ports coming from impossible locations, like 192.168.x.y, or for an increase in "other" traffic dis-proportionally higher than the increase in known traffic. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert S. Galloway Sent: Friday, 20 May 2005 6:28 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Flow-tools] Strange Router Export Issue DDOS was our first thought, but there's a couple of problems with that. Normally a DDOS (at least the ones we've seen) have a specific target, this does not. Also, it usually uses one type of traffic/packet/etc. This is spread out like normal traffic, just a whole lot more of it. Thanks, Robert S. Galloway Chief Network Security Engineer IKANO Communications Network Operations Department ...the team behind the machines Securityguy_AT_ikano.com 801-415-8089 "You have enemies? Good. That means you've stood up for something, some time in your life." -- Winston Churchill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, May 19, 2005 11:54 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Flow-tools] Strange Router Export Issue > >I've got a strange issue that is just perplexing me. Basically >here's my setup: > >I've got two 7513's and one 7206. Each has one internet DS-3. The >7513's also support other customer connections, but the 7206 is just >the DS-3. > >Starting a couple of days ago, the 7206 started sending HUGE numbers >(10x normal) of flows to my flow-collector. I've dug into the raw >flow files and I just don't see anything strange. All three routers >carry about the same traffic load according to bandwidth, but the >flows are out of the ball park for the 7206. It's almost like the >router is counting traffic multiple times, but the config didn't >change when this started. > > >Anyone have any ideas on where I should look? > This sounds like a ddos attack to me. I've been hit with a ddos before on my internet router which happens to be a 7206VXR with a full DS3 attached to it. It added about 20% onto the router's CPU utilization and drove up the number of flows by at least 10x. The additional flows caused my flow-capture/flowscan system to fall behind to the point that I had to kill flow-capture until the ddos was over. _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools --- This email and any files transmitted with it are confidential to the intended recipient and may be privileged. If you have received this email inadvertently or you are not the intended recipient, you may not disseminate, distribute, copy or in any way rely on it. Further, you should notify the sender immediately and delete the email from your computer. Whilst we have taken precautions to alert us to the presence of computer viruses, we cannot guarantee that this email and any files transmitted with it are free from such viruses. _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
