Another DNS blacklist is taken down

Mon Sep 29 17:49:27 UTC 2003

On Mon, Sep 29, 2003 at 01:11:08PM -0400, Dan Armstrong wrote:
> 
> Jared Mauch wrote:
> 
> > On Mon, Sep 29, 2003 at 09:51:08AM -0700, Mike Batchelor wrote:
> > > --On Wednesday, September 24, 2003 1:18 PM -0500 Justin Shore
> > > <listuser at numbnuts.net> wrote:
> > > >On Wed, 24 Sep 2003, Joel Perez wrote:
> > > >
> > > >>So back to my ACL's I go!
> > > >
> > > >This is one of the most likely things to happen.  DNS RBLs are effective.
> > > > Otherwise spammers wouldn't be targeting them for abuse.
> > >
> > > What evidence is there that spammers are the ones doing the DDoS?
> >
> >         There is likely some conjecture here, but aside from the DNS RBLs
> > that cause collateral damage (ie: blacklisting large chunks
> > of address space to cause behaviour change) who has something to gain
> > from these dnsbl's going down?
> 
> Isn't that collateral damage issue enough to have angered hundreds of ISPs
> & end users to the point of not necessarily organizing a DDoS, but ignoring
> it?  I think it is far _more_ likely that the DDoS came from the innocent
> victims fighting back rather than the spammers.

	Presently I beg to differ. (I do encourage you to prove me wrong :)

	A lot of small-time people have created their own dnsbl's
after MAPS(tm) closed down public access to their system, and there
have been a lot of these smaller lists that could handle the query-load
of people that wanted to use them without problems, but once they
were hit with medium to large sized DoS attacks have decided that
it's not worth the effort.  I am waiting to see what happens if people
move against those that are doing this as part of their business
model, such as MAPS, spamcop, etc..

	These people will be quite happy to call and get some of the
law enforcement people to actually move as it does pose a legitimate
threat to their entire cash flow and business model.  They will also
be able to easily go to the media instead of some small time people that
run the list on machines in their basements or shared-colo environments.
Their providers just don't want to deal with the headache, similar as to
how some IRC networks have been fighting to stay alive as well.

	The problem here is end-to-end accountability.  It all relates
back to the constant issue of patching your systems and being a good
net.citizen with your upstreams, peers, etc..  Security incidents
continue to be on the rise and unless people start to actually do
something about them (which I know is dificult due to financial constraints
that we face in the US currently at least) and are responsive at all
hours to them, things aren't going to get any better.  We need the ability
to trace back attacks over the course of an hour at most to be able
to mitigate the risks that are posed, and filter out the true attacks
from the "noise" that people generate who think because they're seeing
p2p traffic to their machine they think they're being attacked..

	I encourage people to start profiling their traffic.  not by
looking at netflow or other data, but by quite simple heuristics.  Look
at your typical bitrate, and pps rates that you see on your internal
and external (peering, upstream, exchange-point) links.  Watch for any
abnormal events, large bursts in either bps or pps.

	Do this not only on your routers but on any layer-2 switches
you may have as well and you may be able to find attacks on your 
network or attacks sourced from your network/customers that would have
not been otherwise noted.  If you can find these and isolate the compromised
machines sooner rather than later you will be helping the entire internet
as a whole.

	- Jared

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.