Are we really this helpless? (Re: isprime DOS in progress)
jbates at brightok.net
Sat Jan 24 05:34:36 UTC 2009
David Conrad wrote:
> Sad fact is that there are zillions of excuses. Unfortunately I suspect
> the only way we're going to make any progress on this will be for laws
> to be passed (or lawsuits to be filed) that impose a financial penalty
> on ISPs through which these attacks propagate.
Careful what you ask for. You might get it, and I'm sure the outcome
wouldn't be liked by any. Forgery is bad, but I've seen plenty of DDoS
without forgery that can do serious damage. Forgery just makes analysis
and back tracking harder. Getting sued because you had some stealth
botnet that suddenly fires up is not a good deal; and probably why ISP's
still manage to hold onto some immunities. OT, though, I'm sure.
The last DoS with forgery that I asked a provider to backtrack, in the
small hopes that it was a concentrated attack with forgery and not a
forging botnet, was met with "flows? tracking? We can't see anything.
We'll happily remove the block so you can see if it's still going on if
Now I have fun trying to explain towards upstream management why a good
security team and policy is important in anyone we purchase transit
from. I think they understand it about as much as the transit providers did.
Even when tracked, it is rare that you can get enough interest, time or
technical ability to backtrack to a controller. Gaining access to the
infected machine and grabbing the bot code is even more rare. That being
said, a lot of botnets are already monitored and watched. Unfortunately,
there are legal issues when they cross international boundaries; just as
there are with child exploitation sites which are hosted in places that
are more accepting/tolerant of such things.
More information about the NANOG