Worst Offenders/Active Attackers blacklists

Christopher Morrow morrowc.lists at gmail.com
Tue Jan 29 20:17:10 UTC 2008


On Jan 29, 2008 7:14 AM, Ben Butler <ben.butler at c2internet.net> wrote:

> Or, to ask the question another way, would the low % of infrastructure
> backbone attacks increase if the infrastructure started blocking
> effectively attacks rather than completing them through null routing the
> target.  If the commercial $ are being paid to the ISP to prevent DoS

So first off you might consider where the 'null route' is applied, in
which cases it's used vs other sorts of techniques. There are many,
many cases everyday of things that get null routed due to them being a
destination of a DoS/DDoS attack. In those cases almost always it's a
completely useless thing that the end user doesn't even care about, so
just stopping the flood is more important than any other solution.

The cases of larger/more-important things being attacked get handled
in other, more complex, ways. (acls, mitigation
platforms/scrubbers/etc)

> surely the ISP then becomes an extortion target as well rather than just
> the end customer site.

no, not really, sometimes the upstream devices get packet-love, but
that's not difficult to fix either... who needs their internal
infrastructure reachable by the external world?

See work on infrastructure acls by: james gill @vzb + darrel lewis @
cisco + paul quinn @ cisco + barry greene @ cisco +.... new book by
Greg Schudel @ cisco ->

<http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365>

note that I haven't looked at the book but it seems to cover some of this.

>
> In a way its a bit similar to a protection racket in that as long as the
> ISP completes attacks rather than blocks them it is in the attackers
> interests to leave the infrastructure alone to a large degree.
>

or it's in their interest because their monetary flow comes across
those same pipes.... so turning off the intertubes is contrary to
their goals. (see presentations by Team Cymru on this topic actually)

> Black hole routing easy & effective, source identification / traffic
> scrubbing expensive.

The distinction between blackhole-routing and scrubbing that you draw
is overly simplistic, if you are a UUNET/VerizonBusiness customer (or
sprint or ATT though I can't easily find their links...)

<http://www.verizonbusiness.com/products/security/managed/#services-dos>

yours for the low-low price of 3250/month... which is well worth it if
you have an ecommerce site that of any decent revenue draw... The
folks at UUNET/VZB will even do things aside from NullRoute if you
have issues and are their customer, all you have to do is call and ask
them for assistance when problems arise, some of that is described at:

<http://www.verizonbusiness.com/terms/us/products/internet/sla/>

(I had to google search this, vz's website isn't so helpful on finding
information....)

-Chris



More information about the NANOG mailing list