WANTED: ISPs with DDoS defense solutions

• Previous message (by thread): WANTED: ISPs with DDoS defense solutions
• Next message (by thread): WANTED: ISPs with DDoS defense solutions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 10:37 PM 30/07/2003 +0000, Christopher L. Morrow wrote:

>Sure, trace my attacks to the linux box at UW, I didn't spoof the flood
>and you can prove I did the attacking how?

You can at least TRY and see where the controlling traffic stream is 
originating from.   i.e. if crap is coming out of box X, all the effort is 
spent on dealing with the spew coming from X through clever filtering and 
null routing, rather than trying to figure out who is controlling X.  Good 
grief, is it really that difficult to put on an acl to log inbound tcp 
setup connections to the attacking host ?
"Proof" in a legal sense is probably impossible if its some kid in Kiev and 
highly cost prohibitive if its some kid in Boston and you are in New 
York.  But you know what, the odds are it is from a western country and 
odds are its not some politically motivated attack, its some emboldened kid 
due to the anonymity of the Internet, pissed off that someone questioned 
his manhood on IRC and decides to take it out via some ego enlarging 
attack. In the cases we have dealt with where it was one of our customers, 
contacting the parents and explaining that what was being done was against 
the law, was enough to stop the kid from continuing.   Even when the 
attacker was an adult, talking to the person, explaining its against our 
AUP and against the law was, in our cases, enough to stop the person. Its 
amazing how compliant and timid darksith2999 at hushmail.com becomes when you 
talk to Joe-Brown at we-know-where-you-live


Are all these incidents bored teenage kids ? No.  But I would put money on 
it the majority are.  Really, how many of the very  clever hackers you know 
are involved in DDoS attacks ?

>You can't because I and 7 other
>hackers all are fighting eachother over ownership of the poor UW student
>schlep's computer...

Great, so of the 7 inbound streams, what effort is it to identify the IP 
address ? In our case
ipfw add 20 count log tcp from any to x.x.x.x setup

will it always work ? no.  But it will catch more attackers than clever 
routing and filtering, as that just copes with the issue and does nothing 
to deal with it.



>The problem isn't the network, nor the filtering/lack-of-filtering, its a
>basic end host security problem.


I would say all have some responsibility.  Its not just an end user 
problem, its not just a network operator problem.  I would say a DDoS would 
violate everyone's AUP on this list no ?  If you choose to not enforce your 
AUP, how are you not responsible ?  This is like the cops saying, "people 
are going to drive drunk and do stoooopid things. We cant stop them from 
doing this, so we give up"


>Until that is resolved, the ability of
>attackers to own boxes in remote locations and use them for malfeasance
>will continue to haunt us. I would guess that the other owners of the
>machines attacking Mike (assuming they got the emails he sent...

I sent email to the listed abuse contacts first. If that bounced (as it did 
with several korean networks) I contacted the AS, or RADB contacts. I even 
contacted the APNIC registrar to inform them that all contacts bounced for 
one of the Korean ISPs. I then asked a Korean friend to look around the 
website for a "real person" and emailed that address.  But the majority of 
the infected hosts were (surprise, surprise) in the largest networks e.g. 
AT&T, TW, Comcast, colo providers, and other resi broadband providers in 
Japan, Korea and Canada.  Not because they have the lion's hare of dumb 
users, but because they have the lion's share of users period.  Almost all 
had auto-responders saying "if spam, email here, if network abuse, email 
here"... If it was a different address, I then re-sent the complaints to 
the address instructed.



>big
>assumption) probably said: "Great another person getting attacked from
>that joker's win2k machine, hurray:(" and moved on about thier business.

We dont do this. If a customer host is infected with virus/worm or is used 
in an attack, we contact the customer. If they dont do anything or choose 
to ignore us, we cut them off.



>I'm all for raising the bar on attackers and having end networks implement
>proper source filtering, but even with that 1000 nt machines pinging 2
>packet per second is still enough to destroy a T1 customer, and likely
>with 1500 byte packets a T3 customer as well. You can't stop this without
>addressing the host security problem...


And kids will continue to attack / cause problems with impunity when there 
are no consequences for their actions.  If network operators would enforce 
their AUPs, I think we would go a long way to reduce these types of 
headaches.  This starts with putting *some* effort into identifying the 
controlling source.

         ---Mike 

• Previous message (by thread): WANTED: ISPs with DDoS defense solutions
• Next message (by thread): WANTED: ISPs with DDoS defense solutions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]