DDoS attacks (yum yum, troll food)

Alex Bligh alex at alex.org.uk
Thu Jul 12 22:15:58 UTC 2001


> Please quit feeding the trolls.

The past few years have shown several DDOS attacks
aimed at subscribers of the NANOG mailing list.

As soon as someone brings up nearly any subject,
their thread is pulverised by no end of messages
on 'why Paul Vixie is the antichrist', 'how ARIN
ate my hamster', 'how ICANN is in league with
the devil', or copious other similar byte
arrangements. Though each attack is similar in
nature, they are sufficiently different in
byte content (but not semantic content) that they
are hard to automatically filter.

The attack appears to work by overloading mailing
lists with large amounts of mail message with
little relevance to the purpose of the group.
During the attack, because of the large volume
of superfluous messages, subscribers can no longer
use the list for operational purposes.

Such attacks are invulnerable to source tracing,
and filtering via .procmailrc access lists, as the they
appear to be spoofable from an almost infinite number of
source mail addresses. Users around that world, who
are not clue protected, can easilly read one
such message, and taken over by the idea they know
something about one such subject, become zombies,
and flood mailing lists with large quantities
of trite or misguided rubbish.

Several solutions have been suggested, including
border clue filtering. This would involve all ISPs
preventing clueless users from sending emails.
However, this has proved impractical to implement.
Apparently some ISPs may have clueless staff.

A second suggesting is 'blackholing' mailing lists
whilst they are under attack. This can be achieved
by simply not reading messages posted to the list
during the period of attack, or setting a .procmailrc
to redirect to /dev/null. However, this has the
side-effect of dropping operational traffic as well.

Whilst the SMTP protocol does not carry secure clue
authentication, it will be difficult to prevent
malicious or incompetent users from injecting
clueless messages into otherwise clueful data streams.

In the mean time, mailing list users will have to
apply ad-hoc mechanisms to reduce the impact of
such attacks.

Do not feed the trolls.

--
Alex Bligh (personal capacity)



More information about the NANOG mailing list