[dns-operations] "Analyzing Large DDoS Attacks Using Multiple Data Sources"

David Ulevitch davidu at everydns.net
Wed Sep 13 07:03:52 UTC 2006

On Sep 12, 2006, at 9:40 AM, Paul Vixie wrote:

> http://www.research.att.com/~kobus/docs/ddos.lsad.pdf

It seems like they didn't see the same kind of attacks other folks  

" (ii) Packet rates are in the tens of thousands per second, maximum  
close to 1 million packets per second. (iii) Most attacks use TCP. "

PPS in the 10kpps range and mostly TCP means that they are seeing old- 
style DDoS attacks -- at least that's how I interpret it.

As for most packets not being spoofed, that's been the case for a few  
years now.  It's only when the spoofing is the attack vector (as in  
the DNS amplification attack) otherwise TCP based attacks are usually  
far more advantageous and effective , from an attackers perspective.


> (presented at sigcomm recently)
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list