North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: WANTED: ISPs with DDoS defense solutions

  • From: Mike Tancsa
  • Date: Wed Jul 30 15:54:29 2003 
At 03:19 PM 30/07/2003 -0400, Jared Mauch wrote:
On Wed, Jul 30, 2003 at 02:43:16PM -0400, Mike Tancsa wrote:
>
> At 10:58 AM 30/07/2003 -0400, Jared Mauch wrote:
>
> > If someone abuses the PSTN, or other networks they eventually
> >will get their service terminated. If people abuse their access by
> >launching DoS attacks, we need to catch them and get their access
>
> Gee, wouldnt that be nice. Having personally dealt with one that had ~ 500
> hosts involved on several dozen networks, I can confirm that of all the
> repeated pleas for help to said networks to track down the controlling
> party, I had a grand total of ONE (yes, 1 as in one above zero) who
> actually responded with a response beyond the auto-responders.... And that
> was to let me know that the user in question had already formatted their
> hard drive before the admin could see what was on the machine and who might
> have been controlling the machine.
>
> It took several _weeks_ for all the attacking hosts to be killed off with
> several reminder messages to various networks. So I dont hold much
> optimism for actually tracking down the actual attacker.

While I can have sympathy for this situation, you removed my
argument about the "DoS and forget".

I understand the point you are making, but I am speaking just to the side comment you made, "we need to catch them and get their access." I totally agree with you. But based on my recent experiences with organizational responses, it seems NO ONE agrees with it in practice.

It seems all the discussion around DDoSes center on ways of coping with DDoSes, or mitigating the effects and not making 'the solutions worse than the problem.' However, there does not seem to be enough discussion and effort in to catching and prosecuting the people doing it. I would be at least happy with the "catching part." I recall one of our users was involved in a DoS once a few years back when the "giant pings" could crash MS boxes. The fact that his perceived anonymity was removed was enough to keep him from repeating his attacks....

---Mike