North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DoS attacks, NSPs unresponsiveness

  • From: Sven Nielsen
  • Date: Fri Nov 03 02:52:01 2000

On Wed, Nov 01, 2000 at 11:39:45PM -0500, John Fraizer put this into my mailbox:
> This begs to question:  Why do they still do it? (Put the
> IRC servers on their networks?)


> Why do people set their network up as a target?  I just don't understand.


Any high-profile site is a target. How about you ask that same question
of Yahoo, eBay, CNN, or any of the other sites that were massively attacked
early this year? How about Slashdot, which seems to get attacked regularly?
Maybe they'll realize that they're setting themselves up as targets
by being so popular and will shut down simply to protect the networks that
host them.

> While I agree that it is unprofessional for your contact at a provider to
> ignore or be disrespectful of you regarding a DoS against an IRC server,
> it is just a fact of life that attacks against commercial entities will be
> treated with much higher priority than attacks against a non-revenue
> producing "service."  Quite frankly, the pizza man comes in WAY above an
> IRC server in my book.

Something I've found in my time doing security work is that IRC
provides an extremely useful 'early warning system'. What attacks and
exploits get tried against IRC networks/servers today are the ones that
are used against the internet at large tomorrow.

This maxim seems to have been coming true with DoS attacks in general
now. Apparently these sorts of tools are being used between Israeli and
Palestinian web sites, and have been in use against web sites of
and in various eastern european countries, not to mention the various
attacks discussed above. In my time working at a particular ISP, I helped
deal with several attacks against customers that simply hosted web sites.
Last I checked none of these folks had anything at all to do with IRC.

I would strongly recommend that instead of berating people for
'setting themselves up as targets' you concentrate your efforts on
curing the disease -- not the symptom. If for whatever reason some script
kiddie decides to attack someone on your network, you won't be able to
say "But I'm not running an IRC server!" and expect the attack to go
away. You'll have to deal with it, the same way us folks who participate
in the 'early warning system' have had to for quite some time now.

(Yes, DALnet still mails administrators of open broadcast networks; yes,
we still mail admins of hacked boxes; yes, we still try and do whatever
we can to help secure the internet. It would be nice if we had help instead
of people who think we deserve it for running 'targets', who sit back while
we do their work for them.)


 Dalvenjah FoxFire (aka Sven Nielsen)  I bet living in a nudist colony takes
 Founder, the DALnet IRC Network       all the fun out of Halloween.
 e-mail: [email protected]             WWW:
 whois: SN90                           Try DALnet!