monkeys.dom UPL being DDOSed to death
Jack Bates
jbates at brightok.net
Tue Sep 23 21:32:55 UTC 2003
Joe St Sauver wrote:
> Note that not all DNSBLs are being effectively hit. DNSBLs which run with
> publicly available zone files are too distributed to be easily taken down,
> particularly if periodic deltas are distributed via cryptographically
> signed Usenet messages (or other "push" channels). You can immunize DNSBLs
> from attack, *provided* that you're willing to publicly distribute the
> contents of those DNSBLs.
Actually, SBL has had a lot of issues. The issue isn't always with the
dns zones. It is true that one can distribute the zones to make dDOS
more difficult; although not impossible. However, in the case of SBL,
they have had issues with the web servers being dDOS'd. The ability to
lookup why a host is blacklisted, and in the case of relay/proxy lists
to request removal, is also important.
There are still a lot of blacklists out there; njabl, ordb, dsbl,
reynolds, sbl, and spews (in a round about sort of way). Yet what
happens when a business desides to destroy his competitor's website?
What happens when someone decides they don't like magazine X or vendor X
and attacks their web farms? Shall the Internet be called akamai? Don't
get me wrong. It's a good service, but not invulnerable.
windowsupdate.com can still be brought to it's knees if the attacker is
persistant enough.
Of course, when big money businesses are involved, things get done. Yet
what about the smaller business or the charity? What about critical
infrastructure? Does anyone claim that MAE East and West couldn't be
made inoperational by dDOS? How does that shift the network and peering?
What are the ramifications?
Of the various RPC worms, spybot is the most malicious in intent. Yet
what if parts of Swen/Gibe/Sobig.F were incorporated into blaster.
Process terminations to make repair difficult and to open the computer
to other viruses and vulnerabilites. Installed proxy servers and bots.
Keyloggers. Now collect your information, gather your bots, and watch a
single phrase create destruction.
Things have not improved over the last year. They have gotten worse. The
Internet is more malicious than ever. It is quickly becoming the Inner
City Projects of communication. Greed and hatred created some of the
worst neighborhoods in the world. The same concept will apply to
network. If action isn't taken, it will get worse. More money will be
lost over the coming years. Many people will be hurt. Communication will
be impaired.
Question: Why is it not illegal for an ISP to allow a known vulnerable
host to stay connected and not even bother contacting the owner? There
are civil remedies that can be sought but no criminal. Bear in mind,
these "vulnerable" hosts are usually in the process of performing
malicious activity when they are reported.
Ron has reported many of the IP addresses that dDOS'd monkeys.com. Under
the same token, Ron has also reported to many ISP's about spammers which
have abused servers under his control, scanning and utilizing open
proxies; which is theft of resources. Why is nothing done about these
people? Why is the ISP not held liable for allowing the person to
continue in such malicious activity?
-Jack
More information about the NANOG
mailing list