Identifying DoS sources quickly (was: Bogon list or Dshield.org type list)

Tue Jul 30 13:55:38 UTC 2002

>As far as tracking DoS, I've read some good papers on the subject and it
>always boils down to tracking MAC addresses and going interface by
>interface to the source, demanding inter-ISP cooperation, and finally
>legal assistance. This has been tried during a few severe instances with
>poor results.

That's the obvious solution to the problem if the problem is how to track 
down the source(s) of a DoS attack. However, in any DoS attack, there is 
always a victim and one or more devices sending attack traffic to the 
victim. The owners of the attacking devices are accessories to the crime 
although I'm sure they could plead ignorance and avoid any liability. But 
what if they could not plead ignorance? What if we could identify some of 
the attacking devices, and what if the victim sent a legal "cease and 
desist" letter to the owners of the attacking devices? Now, the victim is 
in a position to sue the owners of these attacking devices if they don't 
fix the problem by securing their machines. And once this happens and gets 
some press coverage, a whole bunch of other machine owners will wake up 
and realize that they could be stuck with big legal bills if they don't 
secure their machines.

So, to restate the problem, how do we identify some of the sources of a 
DoS attack quickly, maybe even while the attack is still in progress?

>Bots/Zombies are traded openly on IRC and there is no
>accountability for personal security. ISPs won't shut someone down
>because they've been "hacked", merely send them a warning Email or
>call--a process that takes days in my experience.

How many ISPs would identify the user of an IP address for the purposes of 
sending a "cease and desist" letter when contacted by a lawyer? 
Considering that failure to provide the identity would result in the ISP 
themselves getting sued by the DoS victim? As long as *SOME* ISPs would 
cooperate with a DoS victim, there is enough to get the legal ball 
rolling. The alternative is to painfully backtrack until you find an 
uncooperative ISP and then sure them.

As I said before, if there was a central registry something like 
dshield.org that collected data on the destination IP addresses of DoS 
attacks along with estimated magnitude based on analysing the traffic from 
random source addresses blocked by ingress filters, then we have something 
an ISP can use to analyze their outgoing traffic. If you are an ISP and 
you have netflow data that contains destination addresses which also occur 
in the DoS victim registry then you should be willing to act on that data. 
Of course, it's up to you what you do with it. You may offer the DoS 
victim the identity of the source provided that they serve you with the 
right legal documents. Or you might go to the owner of the machine 
yourself with the evidence and warn them that they are aiding and abetting 
cyber terrorists and could suffer the legal consequences if they don't 
secure their machines.

It's certainly not perfect but it's worth a try.

--Michael Dillon