Are we really this helpless? (Re: isprime DOS in progress)

Sat Jan 24 05:34:36 UTC 2009

David Conrad wrote:
> Sad fact is that there are zillions of excuses.  Unfortunately I suspect 
> the only way we're going to make any progress on this will be for laws 
> to be passed (or lawsuits to be filed) that impose a financial penalty 
> on ISPs through which these attacks propagate.

Careful what you ask for. You might get it, and I'm sure the outcome 
wouldn't be liked by any. Forgery is bad, but I've seen plenty of DDoS 
without forgery that can do serious damage. Forgery just makes analysis 
and back tracking harder. Getting sued because you had some stealth 
botnet that suddenly fires up is not a good deal; and probably why ISP's 
still manage to hold onto some immunities. OT, though, I'm sure.

The last DoS with forgery that I asked a provider to backtrack, in the 
small hopes that it was a concentrated attack with forgery and not a 
forging botnet, was met with "flows? tracking? We can't see anything. 
We'll happily remove the block so you can see if it's still going on if 
you want."

Now I have fun trying to explain towards upstream management why a good 
security team and policy is important in anyone we purchase transit 
from. I think they understand it about as much as the transit providers did.

Even when tracked, it is rare that you can get enough interest, time or 
technical ability to backtrack to a controller. Gaining access to the 
infected machine and grabbing the bot code is even more rare. That being 
said, a lot of botnets are already monitored and watched. Unfortunately, 
there are legal issues when they cross international boundaries; just as 
there are with child exploitation sites which are hosted in places that 
are more accepting/tolerant of such things.

Jack