Another DNS blacklist is taken down

Mon Sep 29 18:04:45 UTC 2003

Jared Mauch wrote:

> On Mon, Sep 29, 2003 at 01:11:08PM -0400, Dan Armstrong wrote:
> >
> > Jared Mauch wrote:
> >
> > > On Mon, Sep 29, 2003 at 09:51:08AM -0700, Mike Batchelor wrote:
> > > > --On Wednesday, September 24, 2003 1:18 PM -0500 Justin Shore
> > > > <listuser at numbnuts.net> wrote:
> > > > >On Wed, 24 Sep 2003, Joel Perez wrote:
> > > > >
> > > > >>So back to my ACL's I go!
> > > > >
> > > > >This is one of the most likely things to happen.  DNS RBLs are effective.
> > > > > Otherwise spammers wouldn't be targeting them for abuse.
> > > >
> > > > What evidence is there that spammers are the ones doing the DDoS?
> > >
> > >         There is likely some conjecture here, but aside from the DNS RBLs
> > > that cause collateral damage (ie: blacklisting large chunks
> > > of address space to cause behaviour change) who has something to gain
> > > from these dnsbl's going down?
> >
> > Isn't that collateral damage issue enough to have angered hundreds of ISPs
> > & end users to the point of not necessarily organizing a DDoS, but ignoring
> > it?  I think it is far _more_ likely that the DDoS came from the innocent
> > victims fighting back rather than the spammers.
>
>         Presently I beg to differ. (I do encourage you to prove me wrong :)
>
>         A lot of small-time people have created their own dnsbl's
> after MAPS(tm) closed down public access to their system, and there
> have been a lot of these smaller lists that could handle the query-load
> of people that wanted to use them without problems, but once they
> were hit with medium to large sized DoS attacks have decided that
> it's not worth the effort.  I am waiting to see what happens if people
> move against those that are doing this as part of their business
> model, such as MAPS, spamcop, etc..
>
>         These people will be quite happy to call and get some of the
> law enforcement people to actually move as it does pose a legitimate
> threat to their entire cash flow and business model.  They will also
> be able to easily go to the media instead of some small time people that
> run the list on machines in their basements or shared-colo environments.
> Their providers just don't want to deal with the headache, similar as to
> how some IRC networks have been fighting to stay alive as well.
>
>         The problem here is end-to-end accountability.  It all relates
> back to the constant issue of patching your systems and being a good
> net.citizen with your upstreams, peers, etc..  Security incidents
> continue to be on the rise and unless people start to actually do
> something about them (which I know is dificult due to financial constraints
> that we face in the US currently at least) and are responsive at all
> hours to them, things aren't going to get any better.  We need the ability
> to trace back attacks over the course of an hour at most to be able
> to mitigate the risks that are posed, and filter out the true attacks
> from the "noise" that people generate who think because they're seeing
> p2p traffic to their machine they think they're being attacked..
>
>         I encourage people to start profiling their traffic.  not by
> looking at netflow or other data, but by quite simple heuristics.  Look
> at your typical bitrate, and pps rates that you see on your internal
> and external (peering, upstream, exchange-point) links.  Watch for any
> abnormal events, large bursts in either bps or pps.
>
>         Do this not only on your routers but on any layer-2 switches
> you may have as well and you may be able to find attacks on your
> network or attacks sourced from your network/customers that would have
> not been otherwise noted.  If you can find these and isolate the compromised
> machines sooner rather than later you will be helping the entire internet
> as a whole.
>

I agree with you whole heatedly.  Malicious attacks deserve severe consequences,
and all ISPs need to set themselves up to be able to deal with them more quickly
and effectively.   We have had problems with these sort of things in the past.  We
have done all sorts of neat stuff including sending alarms if traffic trends change
drastically, blackhole routing, etc. etc. That's a whole separate discussion, in my
opinion.

These BLs that leveraged their "wild west" style, unaccountable vigilante justice
by inflicting "collateral damage" to thousands of innocent victims got their karma
back.  I think it's a cop out to think that it was the spammers themselves who did
this.  Spammers are not smart enough to do things like that...... They are just
money grubbing sleeze bags that play the numbers game.  It is un-economic for them
to use resources to organize a DDoS.   A DDoS is an act of passion, not an act of
dollars and cents, which is how the spammers work.

Dan.