|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DoS attacks, NSPs unresponsiveness
Greetings.
Stoned koala bears drooled eucalyptus spit in awe as Sven Nielsen exclaimed:
>
> On Wed, Nov 01, 2000 at 11:39:45PM -0500, John Fraizer put this into my mailbox:
> > This begs to question: Why do they still do it? (Put the targets....er
> > IRC servers on their networks?)
Internet chat in it's various forms is what brings a lot of people to the
net to begin with, and for most of these applications to work, *somebody*
has to run a server, right? This ain't U*IX talk(1). For a lot of ISPs,
IRC is another means of getting the exposure and "brand recognition" that
brings both residential and commercial customers to them.
It is extremely narrow-minded to only look at internet services that
directly make you money. So you're a web hosting provider? Then screw
all the dialup (l)users, right? I don't make money directly off them. It
doesn't matter that the majority of the people that hit my web farm are on
dialup lines, I don't ever see any of the money that they pay their
providers, so screw them, screw them all, right? Is this the way we
should look at things?
> Any high-profile site is a target. How about you ask that same question
> of Yahoo, eBay, CNN, or any of the other sites that were massively attacked
> early this year? How about Slashdot, which seems to get attacked regularly?
> Maybe they'll realize that they're setting themselves up as targets
> by being so popular and will shut down simply to protect the networks that
> host them.
Yes. While we are shutting down all these evil, bandwidth-eating IRC
servers, let's shut down all of these 5kr1p+-k1dd13-attracting web sites
as well. Let's make the internet a hell of a lot less useful to millions
of people. Let's see if we still have jobs tomorrow when this happens.
> > While I agree that it is unprofessional for your contact at a provider to
> > ignore or be disrespectful of you regarding a DoS against an IRC server,
> > it is just a fact of life that attacks against commercial entities will be
> > treated with much higher priority than attacks against a non-revenue
> > producing "service." Quite frankly, the pizza man comes in WAY above an
> > IRC server in my book.
Mr. Fraizer, how do you react when some dialup customer on one of your
networks pisses off some script kiddie on IRC and they start sending
100Mbit of garbage at/through you? Do you tell the customer "Well, don't
use IRC then?" I do network security for a very large Tier 1 provider and
I get calls all the time from customers who are under attack for whatever
reason. Lately, the popular way to do it seems to be to send tons of ICMP
garbage to the IP of the terminal server that the victim is behind. I can
just see it now:
Customer: My circuit is being saturated by tons of ICMP garbage. Can you
please do something to stop it before it gets to my pipe? I
don't know what they did, but apparently one of my dialup users
has pissed somebody off, for these attacks are aimed at my
modem pool.
Me: Nope, can't help you, sorry.
Customer: Excuse me?
Me: It's your own fault that you're getting attacked because you
your customers use IRC. Now sit back and take your
spanking. If you wish, I can have a sales representative
contact you tomorrow if you feel you need more bandwidth.
Customer: You've got to be kidding!
Me: Nope, thank you, drive through. *click*
See me sitting in the unemployment office the next day.
> Something I've found in my time doing security work is that IRC
> provides an extremely useful 'early warning system'. What attacks and
> exploits get tried against IRC networks/servers today are the ones that
> are used against the internet at large tomorrow.
Yeah, you'd think that people would learn wouldn't you? But no, they don't
attempt to fix something until it is directly affecting them. Of course,
I was already aware of the Trinoo/etc attacks before CNN/etc got hit,
thanks to BugTraq and IRC, and had already gotten the tools necessary to
monitor my (then relatively small) network to ensure that such attacks
didn't originate from me. If the rest of the internet had taken such
measures, then the damage wouldn't have been anywhere near as bad as what
it was.
> I would strongly recommend that instead of berating people for
> 'setting themselves up as targets' you concentrate your efforts on
> curing the disease -- not the symptom. If for whatever reason some script
> kiddie decides to attack someone on your network, you won't be able to
> say "But I'm not running an IRC server!" and expect the attack to go
> away. You'll have to deal with it, the same way us folks who participate
> in the 'early warning system' have had to for quite some time now.
Well Sven, I think the days of the internet being self-policing are long
gone. Remember back when if you sent out a complaint about somebody
probing your machine, you actually got a human reply? Not anymore. I
send out lots of these every month and most of the time, I don't even get
an autoreply, much less a human response. Attempting to contact somebody
via telephone usually proves to be an exercise in futility as well.
Somebody mentioned in this thread that the Government needed to get
involved to regulate the industry. Is this really what you
want? Personally, I prefer it if the (US) government kept it's hands out
of my business as much as possible. I feel that if/when the government
*does* step in, we will all find the internet to be a much less useful
(and therefore less profitable) place to be. Not to mention the difficulty
the government would have enforcing such laws on an international medium.
Ingress-egress filtering would be a major step forward, but also,
cooperation between providers so we can nip the problem "in the
bud." After all, the less malicious (l)users we have on the net, the less
likely we will have malicious packets crossing our routers that we must
filter. If I send an email saying "somebody from $ip_address at $time,
$timezone was doing $malicious_activity" and in fact $ip_address is under
your control or under your customers control, I expect you to do something
about it, and I expect you to inform me of what you have done. Unless a
court order is involved, I don't expect to ever learn the identity of the
problem user, just that he/she has been dealt with appropriately. Do I
get this? Nowhere near as often as I should. Why not? It's simple, more
likely than not, the ISP in question is not making any money from me, and
therefore feels as though that they need not listen to me or deal with my
complaint. But, on the same note, I guarantee that if somebody from *my*
network does the same exact thing to *his* machine or *his* customer, I
would be hearing about it.
I am thinking about putting up a "Wall of Shame" that lists those ISPs
(especially large ones) who ignore abuse complaints that come from my
company. I may even start posting this to NANOG just so we know who's
lame and who isn't.
Jeff
--
"For competitive reasons we can't tell you the location of our fiber."
-- An anonymous representative of a very large telco
"For competitive reasons we can't tell you the location of our backhoe."
-- An anonymous representative of a contractor.
|