North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DDOS attacks lately?

  • From: John Fraizer
  • Date: Sun Aug 20 12:54:34 2000

On Sun, 20 Aug 2000, Mikael Abrahamsson wrote:

> On Sun, 20 Aug 2000, Shawn McMahon wrote:
> > Our focus should instead be on figuring out ways to make the user of the
> > tool accountable, and implementing appropriate punishment for misuse.
> In my world this is included in "taking their tool away", which also
> include making an effort to discover when their tools are used somewhere
> (the source) and make an effort to trace it all back to whoever is
> controlling the tools and nail this person to the wall.

Person?  Are you referring to the individual who wrote the original snipit
of code?  That sucks for Robbie Pointer.   I've seen eggdrop code in 80%
of the DoS-script source we've captured.  Use of the DoS is the problem.  

> > Sometimes the tool is "ping".  Do you really want to eliminate it?
> Of course not. But the question is if 10mbit of echo requests can be
> descibed as "ping".

Last time I checked that exceeded the thresholds set up on every router I
know of run by "responsible" network operators.  

> A start would be to make it criminal negligence worldwide to operate a
> network that can be abused even after several notices about this fact. If

And who enforces this?  Hell, we can't manage effectively punish Saddam
Insane and the last time I checked, he did a bit more than pingflood an
IRC server.

> you are a smurf amplifier and have been for quite some time after several
> notices, you should be punished. If you have rooted machines on your
> network that are used for DDOS attacks and you do nothing about it, you
> should too be nailed to the wall.

How about this:

You're a smurf amplifier, your provider unplugs you until you fix it.  
You're a provider?  Your peering sessions go into administrative shutdown
until you fix it.

Same goes for rooted machines.

> Most of what is done is mostly temporary patches (access lists when an
> attack is under way) which never solves the problem, just the immediate
> issue.

Just like the "lists" used in the email end of things, if we make it
"painful" for the networks who are facilitating the lil',
they'll listen, eventually.  When the lose complete network connectivity,
I believe it will get their attention much quicker than not being able to
send email to ISP X.

John Fraizer
EnterZone, Inc