[nsp-sec] TCP Attack patterns - what is "normal" these days?

jim deleskie deleskie at gmail.com
Wed Oct 21 12:47:24 EDT 2009 

I'm still seeing, ie acting on more BW based attacks, but have been
much more troubled by the state exhaustion attacks, while we are /
have been able to mitigate its amazing how much damage a 6M well
crafted attack like this has the potential to cause.

-jim

On Wed, Oct 21, 2009 at 1:39 PM, Smith, Donald <Donald.Smith at qwest.com> wrote:
> ----------- nsp-security Confidential --------
>
> Not a scientific answer but lately I have seen more state exaustion attacks the pipe filling attacks.
> All state tables are finate, most are relatively small compared to the size (bandwidth) of customers pipes.
> Logging is also getting in the way. If your firewall is busy logging all of the attempted random udp access during a random src/dst tcp/udp port flood that can be the resource being exausted:(
> And many of us saw some recent attacks that imho were designed to test response time to different styles of attacks. The July4th attacks (kr-ddos) appeared to be designed to test response (mitigation) times and methods based on the varity of ddos packets. Some were simple to drop (udp to port 80) while others were full three way legitimate http requests. Much harder to block;)
>
> (coffee != sleep) & (!coffee == sleep)
>  Donald.Smith at qwest.com gcia
> ________________________________
> From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Barry Raveendran Greene [bgreene at senki.org]
> Sent: Wednesday, October 21, 2009 9:38 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] TCP Attack patterns - what is "normal" these days?
>
> ----------- nsp-security Confidential --------
>
> Hi Team,
>
> What is a normal type of attack "DOS" or TCP DOS attack pattern these days?
> After the NANOG sessions, I started to wonder which type of BCP advise we
> should be recommending. Techniques to fend off SLA impacting saturation
> attacks? Approaches to handle state saturation attacks? Or, deep dive into
> coupled state attacks (where a LB/FW waits for back end processes to finish
> - filling up the state tables).
>
> Thoughts?
>
> Barry
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list