North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DoS attacks, NSPs unresponsiveness

  • From: Hank Nussbacher
  • Date: Fri Nov 03 01:38:20 2000

At 04:32 03/11/00 +0200, Ariel Biener wrote:

On Thu, 2 Nov 2000, dies wrote:

  Actually, I was thinking of taking a slightly different path.

1). ISPs (downstreams) responsibilities:

1a). Active and clueful NOC.
1b). Proper implementation of Internet RFCs (private networks and
1c). Proper BGP filtering towards upstream.
1d). Running routing software adequate to today's challenges (for example,
     something that can deal properly with small fragments...).

2). NSPs (upstreams, tier1/2) responsibilities:

2a). Active and clueful abuse department.
2b). Monitoring tools that will allow tracking down a stream throghout
     their own backbone, and cooperation with their peers to get to the
     source. With a handful of cluefull people, and a set of autmatic
     tools, this IMHO is something at hand.
2c). Proper BGP filtering of their customers, to not allow their customers
     to fuck-up Internet routing (Sprintlink incidents...).

The main idea is that downstreams make sure they are not very susceptable
to abuse. Then, if attacked, the upstream provider should cooperate in
detecting the source, by monitoring their own network, and cooperating
with it's peers. If for any reason, it takes more than X hours, the
upstream provider should try to protect it's customers. Usually, it wont,
and the attacker will be indentified, and shut down at it's source.

There is no requirement that tier1/2 NSPs tie up their equipment into an
ACL monster. What is needed is cooperation. With proper cooperation,
identifying a stream's source is much easier that you may think.
My experience trying to get tier1 ISPs in the USA to act on specific IP addresses that are attacking, has been terrible. In general it always takes a few private emails to people one may know, who work or have worked in the tier1 ISP to get any response. I have had one incident take 2 weeks recently and am now at day 4 of waiting for a technical reply from another Tier1. This one did not even provide an auto-reply from all their listed abuse and noc email addresses and only private email helped getting some sort of response.

Based on solely my personal experience inside many ISPs (tier1-4), I do not find things encouraging. Most ISPs lose money. When you are losing money you can't invest in a top notch team of Internet security pros to handle the kind of problems we are all seeing. That team does not create revenue. As a matter of fact, it creates negative-revenue since the conclusion by the ISP is usually to disconnect the attacker from their service.

We can write as many RFCs and BCPs as we want and discuss this item again and again - the truth is - nothing we say or do will make a difference until the government creates regulation on the matter. The same way every phone company has to run a 911 number in event of emergencies, so too must ISPs provide an [email protected] email address that not only gives an auto-reply but actually has people behind it to handle the problem.


Do you find the above so hard to do ? All it requires is some
professional attitude, and a bit more cooperation and consideration from
NSPs and ISPs as one, what happens to someone you don't know today may
happen to you tomorrow !

Thoughts ?


> Well since everyone else is stating their opinions, I'll join in
> as well.First off I think pulling the plug is a great idea ( =] ).
> Anyways the point comes down to this.Who should be doing the ingress
> filtering?Tier-2's, Tier-1's, the actual customer?I know this whole
> idea sounds very pretty and nice, however, when it comes down to it there
> are many real problems with this idea.One, the hardware on most ISP's
> backbones cannot realistically do ingress filtering.I'm sorry to say but
> a GSR is not able to do ingress filtering on 5 Channelized OC-12's that
> hold 400+ Customers a piece.It just does not work, I don't care what
> Cisco claims, it just does not work.What about other vendors? I have no
> experience with Bay or Lucent, however, Juniper (which I do have
> experience with) has the ability due to the hardware based filtering
> available but that brings up a whole set of other questions.How will
> ingress filtering from an ISP level effect downstream customers that do
> asymmetrical routing?How about the management overhead that comes into
> play when you are a Tier-1 or a large Tier-2 with tens of thousands of
> customers?What is comes down to is that customers need to be doing
> egress filtering, it's the only scalable solution, however this just is
> not happening.Don't blame the ISPs only, it's their customers that are
> really the problem.Lack of security/knowledge on the customer's end
> leads to hacked boxes, which in turn lead to DoS attacks.It really comes
> down to not the responsibility of the ISP, but in fact the responsibility
> of the customers!Maybe we all should thinkg about that before we point
> fingers.
> On Thu, 2 Nov 2000 [email protected] wrote:
> > On Thu, 02 Nov 2000 09:59:04 EST, MarkMentovai <[email protected]>said:
> > > This can't go on forever.I'd like to spread the clue about ingress
> > > filtering, and am willing to commit time to the cause.Is anyone with me?
> >
> > The problem is that for many ISPs, I fear the only way to get them to
> > implement 2827-style filtering is for their upstreams to implement a
> > policy of fascist-mode ingress filtering - "We see a bogon packet that
> > your site should have filtered, we pull the plug on your link till you
> > fix it".
> >
> > Time alone won't be enough.Bring a baseball bat. And a spare bat.
> >
> > --
> > Valdis Kletnieks
> > Operating Systems Analyst
> > Virginia Tech
> >
> >
> >

Ariel Biener
e-mail: [email protected] Work phone: 03-6406086
fingerprint = 07 D1 E5 3E EF 6D E5 82 0B E9 21 D4 3C 7D 8B BC