North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DoS attacks, NSPs unresponsiveness
At 04:32 03/11/00 +0200, Ariel Biener wrote:
My experience trying to get tier1 ISPs in the USA to act on specific IP addresses that are attacking, has been terrible. In general it always takes a few private emails to people one may know, who work or have worked in the tier1 ISP to get any response. I have had one incident take 2 weeks recently and am now at day 4 of waiting for a technical reply from another Tier1. This one did not even provide an auto-reply from all their listed abuse and noc email addresses and only private email helped getting some sort of response.On Thu, 2 Nov 2000, dies wrote: Actually, I was thinking of taking a slightly different path. 1). ISPs (downstreams) responsibilities: 1a). Active and clueful NOC. 1b). Proper implementation of Internet RFCs (private networks and spoofing). 1c). Proper BGP filtering towards upstream. 1d). Running routing software adequate to today's challenges (for example, something that can deal properly with small fragments...). 2). NSPs (upstreams, tier1/2) responsibilities: 2a). Active and clueful abuse department. 2b). Monitoring tools that will allow tracking down a stream throghout their own backbone, and cooperation with their peers to get to the source. With a handful of cluefull people, and a set of autmatic tools, this IMHO is something at hand. 2c). Proper BGP filtering of their customers, to not allow their customers to fuck-up Internet routing (Sprintlink incidents...). The main idea is that downstreams make sure they are not very susceptable to abuse. Then, if attacked, the upstream provider should cooperate in detecting the source, by monitoring their own network, and cooperating with it's peers. If for any reason, it takes more than X hours, the upstream provider should try to protect it's customers. Usually, it wont, and the attacker will be indentified, and shut down at it's source. There is no requirement that tier1/2 NSPs tie up their equipment into an ACL monster. What is needed is cooperation. With proper cooperation, identifying a stream's source is much easier that you may think.
Based on solely my personal experience inside many ISPs (tier1-4), I do not find things encouraging. Most ISPs lose money. When you are losing money you can't invest in a top notch team of Internet security pros to handle the kind of problems we are all seeing. That team does not create revenue. As a matter of fact, it creates negative-revenue since the conclusion by the ISP is usually to disconnect the attacker from their service.
We can write as many RFCs and BCPs as we want and discuss this item again and again - the truth is - nothing we say or do will make a difference until the government creates regulation on the matter. The same way every phone company has to run a 911 number in event of emergencies, so too must ISPs provide an [email protected] email address that not only gives an auto-reply but actually has people behind it to handle the problem.
Do you find the above so hard to do ? All it requires is some