[Techtalk] Weird http leeches
Raven, corporate courtesan
raven at oneeyedcrow.net
Mon May 13 15:02:19 EST 2002
Heya --
Quoth Dave North (Mon, May 13, 2002 at 10:01:32AM -0700):
> That was exactly it. And at least I have the tiny gratification of knowing
> that (a) I mostly figured it out and (b) am doing the right thing by
> dropping the packets. Thank you very much for that.
> I'm hope that (c) he's not right that little can be done to locate
> these punks.
With the current infrastructure of the Internet, it's pretty
difficult. It can be done if you have a cooperative ISP, and is easier
if the blackhats are none too bright. If they're doing this from their
own machines, ISPs should (in theory) be able to trace backwards to
those machines. MPLS (Multi-Protocol Label Switching), deployed on many
backbones, makes this a lot harder, though. Traditional methods of
tracing no longer work; in my Copious Spare Time I'm going to try to
whammy up some Perl to address this problem. But AFAIK nobody has
solved it yet, this way.
A little off topic, but -- there are ISPs who trace spoofed
packets through things like NetFlow and route advertisements rather than
the direct packet stream. Spoofing really screws this up, since the
packet's not coming from where the route says it is. So this sort of
trace won't work on a spoofed attack, and I'm ignoring it. For a
non-spoofed DDoS flood, though, it works well.
For a good technical exposition of the problem, you might also
want to read:
http://www.icir.org/vern/papers/reflectors.CCR.01/index.html
> At the very least, I suppose, I'd suggest anyone running a server keep an
> eye out for persistent small numbers of SYN_RECV traffic (if you're
> running bsd, it's slightly different ... but I suppose all such would be
> on bsdchix, right?)
Not all of us. [grin] I'm on both.
> and block those IPs (they're unlikely to actually want access to your
> machine, so it's a "mercy killing," even though the listed address is
> not your tormentor -- you are its tormentor!)
Individual sysadmins can block the flood from their machines,
but it would be far easier to kill the problem at its source. This sort
of thing is what a lot of my DDoS work is about. Another good source of
information if you're interested in DDoS analysis is Dave Dittrich's
work. Read it at:
http://staff.washington.edu/dittrich/misc/ddos/
Cheers,
Raven
"You found the Amulet of Yendor!"
More information about the Techtalk
mailing list