[nsp-sec] TCP Attack patterns - what is "normal" these days?
Rob Thomas
robt at cymru.com
Wed Oct 21 13:50:49 EDT 2009
Hey, Barry.
> What is a normal type of attack "DOS" or TCP DOS attack pattern these days?
> After the NANOG sessions, I started to wonder which type of BCP advise we
> should be recommending. Techniques to fend off SLA impacting saturation
> attacks? Approaches to handle state saturation attacks? Or, deep dive into
> coupled state attacks (where a LB/FW waits for back end processes to finish
> - filling up the state tables).
I think "normal" has a lot to do with the networks one manages and the
devices resident in them. We see a wide variety in attacks based on
both the attacker and the targets.
Bandwidth saturation attacks still occur, though most of those from our
view use TCP SYN or ACK packets.
The online criminals know that state saturation attacks can be more
effective using fewer bots, and such attacks work even against targets
on large, fat pipes. That said, many of the online criminals who
provide DDoS-for-hire services have no clue why their attacks work.
They'll throw the kitchen sink at the target (or supporting
infrastructure such as routers and name servers) until the target dies.
Now for some data! This is a partial look at our view of DDoS attacks,
uniq'd by target. I picked a handful of attack categories.
2009-08
TCP SYN attacks: 2185
UDP attacks: 625
ICMP attacks: 21
HTTP GET attacks: 7
2009-09
TCP SYN attacks: 301
UDP attacks: 471
ICMP attacks: 16
HTTP GET attacks: 1
2009-10
TCP SYN attacks: 209
UDP attacks: 374
ICMP attacks: 14
HTTP GET attacks: 14
I didn't check for other state saturation attacks.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list