North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: WANTED: ISPs with DDoS defense solutions
On Wed, Jul 30, 2003 at 02:43:16PM -0400, Mike Tancsa wrote: > > At 10:58 AM 30/07/2003 -0400, Jared Mauch wrote: > > > If someone abuses the PSTN, or other networks they eventually > >will get their service terminated. If people abuse their access by > >launching DoS attacks, we need to catch them and get their access > > Gee, wouldnt that be nice. Having personally dealt with one that had ~ 500 > hosts involved on several dozen networks, I can confirm that of all the > repeated pleas for help to said networks to track down the controlling > party, I had a grand total of ONE (yes, 1 as in one above zero) who > actually responded with a response beyond the auto-responders.... And that > was to let me know that the user in question had already formatted their > hard drive before the admin could see what was on the machine and who might > have been controlling the machine. > > It took several _weeks_ for all the attacking hosts to be killed off with > several reminder messages to various networks. So I dont hold much > optimism for actually tracking down the actual attacker. While I can have sympathy for this situation, you removed my argument about the "DoS and forget". Lets say I am running www.example.com. I have it load-shared across a series of 5-10 machines, and they all get DoS attacked via some worm, etc.. (ala the www1.whitehouse.gov) with a large set of traffic. I can't just deem that IP unusable on my ARIN justification and have my providers absorb the cost of the traffic at zero cost to me or them. (well, unless they're getting the traffic on a customer link and want to continue billing at that bandwidth overage rate ;-) ) The router ports my upstream has invested (for peering) and circuits for their network have a cost. If an attack lasts 10 minutes, yes, the blackhole is easy to move, but what if it is coded to follow dns entries, honor ttl, and continue to pound on devices. You can't just submit a route/form/whatnot to your provider and have them leave in a null0/discard route indenfiately. I'm sorry you had poor luck tracking them down, but without the providers putting the access controls necessary to prevent the route-leak misconfiguration, I don't want to think about the instability you (or others) are speaking of introducing if there is the ability to distribute a null0 route to your upstream and accidentally leak it. (sorry LINX members but ..) You should see the number of people who post to the LINX ops list a month saying "whoops, we leaked routes, can you clear your max prefix counters?" Imagine someone accidentally leaking your routes to their upstream and tagging them with the community due to misconfiguration. - Jared > >terminated. It's a bit harder to trace than PSTN (or other netowrks) > >but I feel of value to do so. > > > > - Jared > > > >-- > >Jared Mauch | pgp key available via finger from [email protected] > >clue++; | http://puck.nether.net/~jared/ My statements are only mine. -- Jared Mauch | pgp key available via finger from [email protected] clue++; | http://puck.nether.net/~jared/ My statements are only mine.