[Pool] flood from 75.76.155.206

Rob Janssen rob at knoware.nl
Thu May 9 15:02:41 UTC 2013


ntppool at arpage.org wrote:
> Reflective multiplication attacks are the current vogue.  Send a small DNS query with a forged return address to a authoritative server and get a much larger reply in turn.
>
> NTP wouldn't be a good target for such an attack because the response is the same size as the query.  Could still be used in a reflective attack but it wouldn't have the multiplication effect of a reflective DNS attack.
You forget that the reply to some administrative commands is much larger than the request.
When these are allowed they can be used for amplification.

However, as seen in actual attacks the DDoS people have already past this station.
First, they sent bare SYN packets from spoofed source addresses -> connection table overflow.
It was fixed by SYN COOKIES and other measures.
Then they used DNS amplification to generate a lot of traffic.  But this traffic is easily filtered
as it is not the traffic a server normally sees (e.g. TCP traffic to port 80 or 443)

So the method now is to setup complete connections from systems in a botnet, connections
that do not only complete at TCP level but also attempt to start application transactions.  Like
fetching a webpage, logging in to a "my xxxxxx" page, etc.
This poses more diffcult challenges for the operators.   And it is very easy to find the systems
willing to act as the traffic source, given the large number of poorly administered home computers.

Rob


More information about the pool mailing list