DDoS attacks

Brad brad at americanisp.net
Thu Jul 12 08:22:05 UTC 2001


> > >You initial email asked for AboveNet contact. Did you get some assistance
> > >and if so what was the resolution? This is very important for us to know
> > >so we can kind of keep track of cooperative ISPs and the ones that just
> > >ignore these problems.
> > And then what?  Suppose you had a list of non-cooperative ISPs?  What
> > then?  Experience has shown that the ISPs that don't care, won't care no
> > matter what you say or do (those who follow FIRST know I have a lot to say
> > on this matter, but have been holding back to give those non-cooperative
> > ISPs time to make matters right - we are now on day 5 of a continuous
> > non-spoofed 20Mb/sec dDoS attack :-)).  Convince me why a list of
> > non-cooperative ISPs is a thing that would help.
> Well, the way I see it this internet thing is new to a lot of companies. Some are finding out the hardway what works, what doesn't. Quite a bit of the normal controls to prevent bad service, etc. are not in place.
> I'm sure you've heard of the Better Business Burea, The Chamber of Commerce, etc? Well, I wan't suggesting making a list, I was suggesting he report his interaction with that company to you guys. This might allow NANOG to know how this or that ISP is responding to requests. You can sit by and say experience has shown and you're right. However, that is because no one is calling for any responsibility. There is no review and no drawbacks to acting with complete disregard. Well, just reporting that I spoke with X ISP and they attempted to cooperate or they didn't care at all is a small first step. If someone then took these reports and passed them to Boardwatch, or whatever the ISP might end up answering to someone.
> There is quite a bit of helplessness and inaction going on when it comes to these types of situations and BIG ISP can get away with whatever they want. Well, experience has shown that if you organize the "little" people can influence the BIGGER.
> > -Hank
> > >Jon

Here are my thoughts on DDoS:

-The problem should not be addressed by going after the
originators of the attacks, rather a real-time targeting
system for those 'compromised' client computers with zombies
installed.  It seems to me that no matter the use, a
computer that is attached to a global network which is
compromised in such a way, should be forced to correct the
problem prior to continued participation in that network.

With that said- it also appears there are two steps which
need to be taken place for proper implementation of such a
system.  Detection and elimination.

As for the detection.  Well- that is the hard part.  As I
understand these zombies, they are just irc clients inbeded
in the compromised machine.  And nothing stops irc clients
from connecting on just about any port available, so
port-based scans or blocks is not going to cut it.
So- if we can not scan for compromised machines, we need to
be reactive to their attacts.  Finding out which IPs are
involved in a DDoS attack is not too hard.  Hell- just last
week I was hit by a DDoS of 220 individual IPs from
different networks.  All IPs were recorded for future use.
(and the target was a web server, not a IRC server/client)

How do we use this data to our advantage?  What can we do
with it to 'verify' a bad client?  Should there be a
time-limit for denial (for dynamically assigned members)?
Once a attack has started, what mechanisim can be in place
to stop it?

Clearly there are a lot of unanswered questions.  I hope
this post spins-off some constructive discussion.

Brad Baker
Director: Network Operations
American ISP
brad at americanisp.net
+1 303 984 5700 x12

More information about the NANOG mailing list