Dns-operations mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

The original attacks did not both using standard network procedures.  What they did was inject a packet directly out to the internet.  While this method is faster, it also means that it could be easily identified.  A normal data packet sent to the internet will be sent from a random port number on the host server.  These injected packets always used the same port number - every packet was identical, and that could be detected.  ddos.pl did not care what the port number was, it simply detected streams of packets that matched.

The most recent round of attacks have started using proper network procedures, coming from random port numbers on the source end.  Since ddos.pl is looking for large numbers of packets on the same port, it ignores these.

Keep in mind that ddos.pl is still a useful tool... On my server, it has blocked 5 different IP addresses in the past hour.  Since there are multiple forms of attack, we use multiple tools to mitigate the damage caused.  As 'they' attack us in new ways, we will continue to develop new tools to prevent their abuse.

On 11/22/2012 01:35 PM, Psilo wrote:

Can you please explain what has changed in the attack that makes ddos.pl useless? Is it a problem with the source port changing?

Cheers,
Psilo