North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re:DoS attacks, NSPs unresponsiveness

  • From: rkuhljr
  • Date: Thu Nov 02 00:21:21 2000

>   Irc tends to be a volatile medium, like interpersonal relationships in
>real life. Thus, many times arguements turn into heated disputes, and
>sometimes, some people pick up arms, and attack. The attacks usually take
>out whole ISPs for hours, or days.

Networks with no IRC server running are also targeted by DoS; personal experience on this one.

>   The problem is that when trying to get help from the upstream provider
>(UUnet in this example), you either receive a negative answer, or you're just ignored completely. 

We've had the same (lack of) responses from UUnet...

>   Smurfing, icmp attacks, udp attacks, tcp synflooding (spoofed
>sources) are just a number of these weapons. The problem with alot of
>networking entities, be it ISPs, enterprises, and such, is that they allow
>spoofed packets to leave their network (i.e. do not check if the packets
>originate from within their netblocks before letting them leave their

Backbones should enforce RFC 2827 filtering on all static-routes customers; I think most do, but many networks with large amounts of computer power and router capacity are multi-homed, preventing their upstreams of filtering them. 

>   The question is, how can we defend ourselves, and why do the large NSPs
>turn a blind eye, and act as if it's not their concern ?

A combination of access-list/rate-limit/tcp-intercept on routers and proper TCP/IP stack configuration on servers may put you back online while they track the attack sources and shut them down.

>   Is there a chance that by helping one another, and by implementing
>Internet RFCs corrctly (rfc 1918 for example), we can contribute to the
>elimination of this kind of electronic terrorism ?

Or change some RFC defaults. Changing directed broadcast default from on to off helped to decrease smurf attacks, making reverse-path-checking the default might be a good move.

>   Any chance a UUnet person might answer ?

Unlikely... but it's curious that the most interesting ideia I've ever saw about DoS tracking was presented at NANOG by an UUnet person. It seems that plan didn't make into deployment, or it is used for premium-class customers that don't include my upstream (also a Worldcom company...).

Rubens Kuhl Jr.