- To: outages-list@eskimo.com
- Subject: Packet Flood DOS attack 6/8/2000
- From: Robert Dinse <nanook@eskimo.com>
- Date: Thu, 8 Jun 2000 14:28:23 -0700 (PDT)
- Resent-Date: Thu, 8 Jun 2000 16:00:35 -0700
- Resent-From: outages-list@eskimo.com
- Resent-Message-ID: <"BLmNu1.0.ff7.EM2Gv"@mx1>
- Resent-Sender: outages-list-request@eskimo.com
- Prev by Date: WWW freeze 6/7 7:40pm
- Next by Date: www crash
- Prev by thread: Eskimo crash 6/8 8:45pm
- Next by thread: WWW freeze 6/7 7:40pm
- Index(es):
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Packet Flood DOS attack 6/8/2000
At approximately 2:10 PM PST, we were hit with a UDP packet flood attack
that pretty much saturated our links. We have upstream filtering that would
protect us from this attack if it were not for bugs in Cisco's IOS. Cisco
routers are used by our backbone provider (Sprint for the hosts here).
There is a packet fragment reassembly bug that allows attackers to
construct packets in such a way as to make them look like TCP packets to Cisco
but UDP packets to the site that is attacked. Consequently, access lists which
block UDP to prevent this type of attack are ineffective.
The attack only lasted about ten minutes but effectively isolated our
network hosts from the network during the interval.
We are working with Sprint to find a more robust solution to this problem.