North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: WANTED: ISPs with DDoS defense solutions

  • From: Jared Mauch
  • Date: Wed Jul 30 15:21:20 2003

On Wed, Jul 30, 2003 at 02:43:16PM -0400, Mike Tancsa wrote:
> At 10:58 AM 30/07/2003 -0400, Jared Mauch wrote:
> >        If someone abuses the PSTN, or other networks they eventually
> >will get their service terminated.  If people abuse their access by
> >launching DoS attacks, we need to catch them and get their access
> Gee, wouldnt that be nice.  Having personally dealt with one that had ~ 500 
> hosts involved on several dozen networks, I can confirm that of all the 
> repeated pleas for help to said networks to track down the controlling 
> party, I had a grand total of ONE (yes, 1 as in one above zero) who 
> actually responded with a response beyond the auto-responders.... And that 
> was to let me know that the user in question had already formatted their 
> hard drive before the admin could see what was on the machine and who might 
> have been controlling the machine.
> It took several _weeks_ for all the attacking hosts to be killed off with 
> several reminder messages to various networks.  So I dont hold much 
> optimism for actually tracking down the actual attacker.

	While I can have sympathy for this situation, you removed my
argument about the "DoS and forget".

	Lets say I am running

	I have it load-shared across a series of 5-10 machines, and
they all get DoS attacked via some worm, etc.. (ala the
with a large set of traffic.

	I can't just deem that IP unusable on my ARIN justification and
have my providers absorb the cost of the traffic at zero cost to me or
them.  (well, unless they're getting the traffic on a customer link
and want to continue billing at that bandwidth overage rate ;-) )

	The router ports my upstream has invested (for peering) and 
circuits for their network have a cost.

	If an attack lasts 10 minutes, yes, the blackhole is easy
to move, but what if it is coded to follow dns entries, honor ttl,
and continue to pound on devices.

	You can't just submit a route/form/whatnot to your provider
and have them leave in a null0/discard route indenfiately.

	I'm sorry you had poor luck tracking them down, but without
the providers putting the access controls necessary to prevent the
route-leak misconfiguration, I don't want to think about the instability
you (or others) are speaking of introducing if there is the ability
to distribute a null0 route to your upstream and accidentally leak

	(sorry LINX members but ..)

	You should see the number of people who post to the LINX ops
list a month saying "whoops, we leaked routes, can you clear your
max prefix counters?"

	Imagine someone accidentally leaking your routes to their
upstream and tagging them with the community due to misconfiguration.

	- Jared
> >terminated.  It's a bit harder to trace than PSTN (or other netowrks)
> >but I feel of value to do so.
> >
> >        - Jared
> >
> >--
> >Jared Mauch  | pgp key available via finger from [email protected]
> >clue++;      |  My statements are only mine.

Jared Mauch  | pgp key available via finger from [email protected]
clue++;      |  My statements are only mine.