Has anyone else noticed an upsurge in unsophisticated [packet flood, etc]
attacks since college kids have to their own devices in dorms again this
year?
Deepak Jain
AiNET
I've just noticed the normal upsurge in traffic from the returning
students. Universities complaining they don't have enough b/w when they
are trying to force 8MB worth of traffic down a couple of t-1's. No major
attacks that I have seen on my network so far. But then again, this is
only the first day of classes for students in my state (MN) - let's see
what the rest of the week brings when all the students get their computers
on the LAN's.
Im just waiting for all the kids to find the latest and greatest
bandwith-chewing-le's-get-my-warez-pr0n-server tools.
-Eric
That should read ...
...college kids have been left to their own devices...
Cell phones and email don't mix.
Deepak Jain
AiNET
Has anyone else noticed an upsurge in unsophisticated [packet flood, etc]
attacks since college kids have to their own devices in dorms again this
year?
The IP-Spoofing scan floods have been unreal..from my own customers.
ntop helps detect them.. but it's tough when the are behind
NAT firewalls. (see: www.ntop.org)
have you considered RFC 2827?
- Paul
I wanted to reroute forged traffic through an RFC2549 network. Budget
considerations kept us from training a sufficient number of "network"
handlers, though.
DJ
Oh yea. I've noticed a certain "Regional" get absolutely shreaded
several times in the past week or so. Supposedly something along the
lines of 400Kpps on each border all destined for some unnamed, allegedly
now terminated customer of theirs.
I can't speak to the sophistication, but our DoS count has had a strong
upswing. Much to my dismay while on call.
Next law for Colorado to pass: "Make My Network". If they're on your net,
and presenting a threat, you can shoot them in self-defense?
What? You mean it's not legal now? Wow. I'm in BIG trouble! <g>
It may be, where you are. Check local listings for details. 
(Having flashbacks to the "Guns in the NOC" and "Target range at Oakland
NANOG" threads...)
Deepak Jain wrote:
Has anyone else noticed an upsurge in unsophisticated [packet flood, etc]
attacks since college kids have to their own devices in dorms again this
year?
Well... depends on the kind fo attack. I'm actually seeing fewer large
packet ICMP attacks than I was a couple of months ago. I'm guessing this
is because more zombied machine have been cleared out. There are the
normal number of scans that one might expect (bored freshmen with
ethernet connectiosn to the fatest network they've ever seen, what would
you do?) but, suprisingly enough the number of naive DoS attacks seems
to be on the decline around me. I need to look at the security logs a
little closer but I think I'm correct. I wrote our security stuff but
I've not looked at it in almost a month now.
Note: We only really start to give a damn when attacks start to suck up
more than 20Mbps on its own. Anything less than that is either not worth
the hassle or gets lost in the noise. Our position as a GigaPOP
eliminates a few potential areas of concern.
That's nice to know. So, If we see <20Mb/s attack from psc.edu, to get
your attention and make sure you give a damn about the initial problem, we
should counter-attack with 50-60Mb/s or so? Is that the official stance
of psc.edu?
I hope he was talking about attacks on him (inbound to him) rather than
attacks originating on his network. However, if you ignore a 20Mbps attack,
you may wind up launching your own 20Mbps attack unwittingly.
For example, if someone sends you spoofed TCP SYN packets, you may respond
with an equal number of ICMP unreachable packets, flooding an innocent
victim. So you generally cannot ignore 'small' floods, even if they're not
harming you. At least, that is, if you care about who you hurt.
DS
Well... depends on the kind fo attack. I'm actually seeing fewer large
packet ICMP attacks than I was a couple of months ago. I'm guessing this
is because more zombied machine have been cleared out. There are the
normal number of scans that one might expect (bored freshmen with
ethernet connectiosn to the fatest network they've ever seen, what would
you do?) but, suprisingly enough the number of naive DoS attacks seems
to be on the decline around me. I need to look at the security logs a
little closer but I think I'm correct. I wrote our security stuff but
I've not looked at it in almost a month now.
Can you clarify that last bit some? You've not looked at the code? Filters? As far as freshhmen with 'phat pipe', in this day and age, I expect a little
restraint and common sense, but we _are_, generally speaking, talking about American college students. Neither of which seem to be in great supply.
t