|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DoS attacks, NSPs unresponsiveness
On Thu, 2 Nov 2000, Ariel Biener wrote: > As most of you know, some ISPs run irc servers, and provide an IRC > service to the community. The service is free, and maintenance and cost of > networking/hardware/human hours is on the ISPs expense. This begs to question: Why do they still do it? (Put the targets....er IRC servers on their networks?) > sometimes, some people pick up arms, and attack. The attacks usually take > out whole ISPs for hours, or days. Why do people set their network up as a target? I just don't understand. > The problem is that when trying to get help from the upstream provider > (UUnet in this example), you either receive a negative answer, or you're > just ignored completely. Thus, by terrorism, people get what they want, > and hold you at a threat of force, without any ability to defend yourself. While I agree that it is unprofessional for your contact at a provider to ignore or be disrespectful of you regarding a DoS against an IRC server, it is just a fact of life that attacks against commercial entities will be treated with much higher priority than attacks against a non-revenue producing "service." Quite frankly, the pizza man comes in WAY above an IRC server in my book. > Smurfing, icmp attacks, udp attacks, tcp synflooding (spoofed > sources) are just a number of these weapons. The problem with alot of > networking entities, be it ISPs, enterprises, and such, is that they allow > spoofed packets to leave their network (i.e. do not check if the packets > originate from within their netblocks before letting them leave their > routers). Filtering scales best to ingress vs egress. I agree that filtering should be in place. "Sanity checking" traffic from your downstream customers is a lot smarter than simply hoping they're cluefull enough to block bogons leaving their network though. > The question is, how can we defend ourselves, and why do the large NSPs > turn a blind eye, and act as if it's not their concern ? Quite frankly, unless the source of the attack lives on their network, they bear no responsibility, period, the end. They're providing transit. It's 1's and 0's with no discrimination. > > Is there a chance that by helping one another, and by implementing > Internet RFCs corrctly (rfc 1918 for example), we can contribute to the > elimination of this kind of electronic terrorism ? RFC1918 specifically addresses filtering routing information. Not spoofed addresses. It states "routing information about private networks shall not be propagated on inter-enterprise links, and packets with private source or destination addresses should not be forwarded across such links." Notice the placement of "shall" and "should." I'm not saying that you don't have a valid point. Just that the RFC doesn't specifically prohibit forwarding the packets. Only routing information about RFC1918 address space. Now, in specific response to your question about eliminating electronic terrorism, it is doubtful. Doubtful that you'll ever: #1 spread enough clue around. #2 get everyone to cooperate. --- John Fraizer EnterZone, Inc
|