Re: Recent Attacks

["Barrett G. Lyon" <blyon () theshell com>]

On Tue, 15 Feb 2000, Marcus J. Ranum wrote:

> Ryan Russell wrote:
> > I expect to see ransom demands (either the real attackers or just
> > opportunists) become announced to the press any time now.
>
> That'd be interesting because it'd clear up the issue of motivation!!
>
> I've always been bemused by the whole denial of service thing. It
> seems so pointless. It's just vandalism; not even as cool as virus
> writing, and virus writing is very uncool.
>
> If I was Bezos, I'd offer some amazon.com options for whoever
> turned in the culprit and sufficient evidence. Then I'd litigate
> the culprit back to the stone age, including his friends, parents,
> business associates, school, etc. - anyone involved. Crush 'em
> real hard, real mean, and real openly.


I have kept my mouth shut about most of this yet now I feel like I have
something to say.  I do not think there should be any concern of the
motives that drive these attacks, to me that point is rather
obvious; their motives are to take their target offline and I don't think
it is worth anyone's time to put anything more than that on the
table.  The media and buzzword-driven hype have turned a DoS attack into a
hard-to-see uncontrollable mystical force and in reality DoS attacks are
anything but.  I feel the dent caused by many of these attacks could
certainly be reduced with proper policy and I honestly I do not think that
the sites under attack understand the dynamics involved in reducing the
damage of a DoS (distributed or not).  

I have been operating a shell service for many years and over time I must
have been hit with nearly every type of attack out there.  I have
developed a personal method of handling large attacks and I usually don't
talk about it yet it does prove a point:

I first identify what type of attack in coming in and what the targets of
the attack are (host/service/user/..etc..).  I then immediately drop and
log all packets from attacking network(s) (to reduce load on attacked
machines if it is a SYN attack, etc).  [ granted it is not possible with
some sorts of attacks to drop and log everything ]  At this point there
are several decisions I make:

   Is my network disrupted by this attack, and if so should I remove
   whatever it is that the attacker wants offline?  If by removing the
   target will the attacker stop and if so will this keep my other
   services online?   [ I have found by removing the target the attacker
   stops nearly immediately. ]

You need to figure out who is actually doing the attack and notify their
providers with a clean description of what actually took place.  If the
attack is too big to wait you get on the phone immediately and make it
someone else's problem as well.  If it is real bad you can even involve
your upstream provider(s) and have them put filters in place on their end
of the network.  [  Large providers hate doing this, yet if you
bark enough they will listen. ] 

When I think about it there is also an entire forensics process of
figuring out who was/is doing the attack.  I've found that before an
attack begins the attacker usually does a port scan or some sort of survey
of the services on the target system and usually the attacker does this
from their own host and not another host.  They figure you will never link
the attack to a port scan or whatever the survey may be. . .

I could write an entire book on this subject but my point is that I really
don't think large corporations are equipped to handle nearly any type of
DoS attack.  They don't understand the dynamics of the attacks and they
don't understand the methods of surviving an attack.

Too bad it is not possible for providers to practice proper egress filter
techniques, because after all that is what this is all about.  :P


I need a soda.. I can tell my hypoglycemia is kicking in :)

  Take care,

-Barrett


Barrett G. Lyon
(NJS) Network Janitor Specialist 
Have fun: www.AlphaLinux.org

[Q]: Hey, do they test this stuff before it's released?  
[A]: Sure they do... "It compiles, it's ready!"