Am Samstag, den 09.06.2012, 19:17 +0300 schrieb Kostas Zorbadelos: > What do you mean identify and filter based on TTL? In our case the > attacker used a specific query for a single domain.
I mean the TTL field from the IP header of these packets. While the attacker's packets spoof the sender address, they might not spoof the TTL, and probably being away more hops from your servers than your clients, their packets should have lower TTL values. A network traffic dump could show quickly whether this approach could possibly work. Cheers, Rudi PS: Obviously a skilled attacker can also crank up TTL values to compensate for their longer route, but "fixed pattern" indicates to me that you deal with a script kiddie here.
