- To: earthcng@eskimo.com, rrohan@eskimo.com, outages-list@eskimo.com
- Subject: Network Outage
- From: Robert Dinse <nanook@eskimo.com>
- Date: Wed, 22 Dec 1999 08:03:11 -0800 (PST)
- Resent-Date: Wed, 22 Dec 1999 09:01:29 -0800
- Resent-From: outages-list@eskimo.com
- Resent-Message-ID: <"lC93r1.0.NW4.dFGOu"@mx1>
- Resent-Sender: outages-list-request@eskimo.com
- Prev by Date: Packet Flood DOS
- Next by Date: Web Server..
- Prev by thread: Network Outage
- Next by thread: Network Outage
- Index(es):
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Network Outage
The web server isn't and hasn't been down this morning. What we are
experiencing is a packet flood denial of service attack. Basically, someone
is flooding an IP address belonging to one of our customers with a large number
of packets that completely clog the links to the Internet.
This is not normal traffic, web or otherwise; they are packets that, to
our router look like UDP packets with a length of 1500 bytes; but they are
doing something tricky to the packet that evades the filtering mechanism in the
Cisco routers at Sprint so that filters they try to block with are not working.
For the present, they've put a null route in for the host that is being
targeted that effectively tells the world there is no route to that host; but
obviously that's not a good solution since it leaves that host isolated from
the net.
They are involving other engineers to try to figure out how these packets
are getting back filters. This work will necessarily involve pulling out the
null route intermittantly with some intermittant loss of network connectivity
resulting.
There really isn't any other way to address this problem, they and we need
to understand exactly how the hackers are getting past the Cisco filters so
that can be corrected.