WANTED: ISPs with DDoS defense solutions
Mike Tancsa
mike at sentex.net
Wed Jul 30 23:40:01 UTC 2003
At 10:37 PM 30/07/2003 +0000, Christopher L. Morrow wrote:
>Sure, trace my attacks to the linux box at UW, I didn't spoof the flood
>and you can prove I did the attacking how?
You can at least TRY and see where the controlling traffic stream is
originating from. i.e. if crap is coming out of box X, all the effort is
spent on dealing with the spew coming from X through clever filtering and
null routing, rather than trying to figure out who is controlling X. Good
grief, is it really that difficult to put on an acl to log inbound tcp
setup connections to the attacking host ?
"Proof" in a legal sense is probably impossible if its some kid in Kiev and
highly cost prohibitive if its some kid in Boston and you are in New
York. But you know what, the odds are it is from a western country and
odds are its not some politically motivated attack, its some emboldened kid
due to the anonymity of the Internet, pissed off that someone questioned
his manhood on IRC and decides to take it out via some ego enlarging
attack. In the cases we have dealt with where it was one of our customers,
contacting the parents and explaining that what was being done was against
the law, was enough to stop the kid from continuing. Even when the
attacker was an adult, talking to the person, explaining its against our
AUP and against the law was, in our cases, enough to stop the person. Its
amazing how compliant and timid darksith2999 at hushmail.com becomes when you
talk to Joe-Brown at we-know-where-you-live
Are all these incidents bored teenage kids ? No. But I would put money on
it the majority are. Really, how many of the very clever hackers you know
are involved in DDoS attacks ?
>You can't because I and 7 other
>hackers all are fighting eachother over ownership of the poor UW student
>schlep's computer...
Great, so of the 7 inbound streams, what effort is it to identify the IP
address ? In our case
ipfw add 20 count log tcp from any to x.x.x.x setup
will it always work ? no. But it will catch more attackers than clever
routing and filtering, as that just copes with the issue and does nothing
to deal with it.
>The problem isn't the network, nor the filtering/lack-of-filtering, its a
>basic end host security problem.
I would say all have some responsibility. Its not just an end user
problem, its not just a network operator problem. I would say a DDoS would
violate everyone's AUP on this list no ? If you choose to not enforce your
AUP, how are you not responsible ? This is like the cops saying, "people
are going to drive drunk and do stoooopid things. We cant stop them from
doing this, so we give up"
>Until that is resolved, the ability of
>attackers to own boxes in remote locations and use them for malfeasance
>will continue to haunt us. I would guess that the other owners of the
>machines attacking Mike (assuming they got the emails he sent...
I sent email to the listed abuse contacts first. If that bounced (as it did
with several korean networks) I contacted the AS, or RADB contacts. I even
contacted the APNIC registrar to inform them that all contacts bounced for
one of the Korean ISPs. I then asked a Korean friend to look around the
website for a "real person" and emailed that address. But the majority of
the infected hosts were (surprise, surprise) in the largest networks e.g.
AT&T, TW, Comcast, colo providers, and other resi broadband providers in
Japan, Korea and Canada. Not because they have the lion's hare of dumb
users, but because they have the lion's share of users period. Almost all
had auto-responders saying "if spam, email here, if network abuse, email
here"... If it was a different address, I then re-sent the complaints to
the address instructed.
>big
>assumption) probably said: "Great another person getting attacked from
>that joker's win2k machine, hurray:(" and moved on about thier business.
We dont do this. If a customer host is infected with virus/worm or is used
in an attack, we contact the customer. If they dont do anything or choose
to ignore us, we cut them off.
>I'm all for raising the bar on attackers and having end networks implement
>proper source filtering, but even with that 1000 nt machines pinging 2
>packet per second is still enough to destroy a T1 customer, and likely
>with 1500 byte packets a T3 customer as well. You can't stop this without
>addressing the host security problem...
And kids will continue to attack / cause problems with impunity when there
are no consequences for their actions. If network operators would enforce
their AUPs, I think we would go a long way to reduce these types of
headaches. This starts with putting *some* effort into identifying the
controlling source.
---Mike
More information about the NANOG
mailing list