Re: first widely published relay as a dos issue

[Alexander Gall <gall@switch.ch>]

On Sat, 12 Jul 2003 05:30:26 -0700, "Christian Huitema" <huitema@windows.microsoft.com> said:

> How is that a "publshed relay DoS issue"? It seems that all these
> packets had the same source and destination addresses, and that the
> address could be traced. A plausible explanation is a bug in some
> brand new software, without malicious intent; it is not necessarily
> a DoS attack. 

I can't rule that out but it doesn't seem plausible to me.  It looked
like a typical UDP flood with random source and destination addresses.

BTW, there were two other such incidents on Tuesday and Thursday with
traffic rates up to 70-80Mbps (most of it was dropped by our relay).
Apparently, most traffic came from the same IPv4 address, but there
were also a few large flows from other sources, so it might have even
been a DDoS (in which case some of the other anycast relays could have
been hit as well).  Unfortunately we don't know what the destinations
were in those cases (we only have information on the IPv4 flows
towards 192.88.99.1), so we can't make any statement about that.

> It is also not specifically a relay attack. If those
> two addresses were both native addresses, then we would have the
> same attack against every IPv6 router on the path, it would just not
> use the relay.

I'm fairly sure that the relay was not the intended victim.  The black
hats might not have realized yet that there are still lots of
bottlenecks in the 6bone.

--
Alex
SWITCH-NOC