Re: Followup on ping flood

[Philippe Bourcier <philippe () CYBERABUSE ORG>]

Re

> I appreciate the sentiment of the gentleman who cautioned against
> jumping to the conclusion that the perpetrator is from China, in light
> of recent political developments.

In APNIC databases, 211.72.0.0/13 has been allocated to Taiwan.
IRC servers are getting hit every week from Taiwanese, Chinese and other
Asian networks, but the servers are often hacked by North America or
Eastern Europe script kiddies.

>   Still, since the site under attack is
> www.whitehouse.org, and because in addition to the ping flood, we're
> seeing more or less constant port scans originating from netblocks
> registered to China, I think Occam's razor suggests that that's the most
> likely interpretation.

Everybody else is seeing those too, simply because Asian administrators are
not very aware of security issues, or sometimes just don't understand english.
Also, note that 38.2% (from SAR's db (when it was still working)) of the
smurf amplifiers networks are in Asia, so whoever wants to smurf attack
you, will likely use an Asian network, because :
 - There are a lot of smurf amplifiers there.
 - Noone in Asia will care about you being smurfed (which is less and less
the case with NA/EU based networks).
 - The amplifier will most likely be there for a while, so a smurf
amplifier list with only Asian networks will work for a long time.

So it is really possible that this attack is made by a copycat from another
country than China.
A lot of kiddies think it's cool to take down .gov's, even if they are from
the US.
It's all about being rebel and destructor, patriotism doesn't count.

> Plus, I don't think anyone wants to pay for that kind of
> bandwidth for ping floods.

The sad thing is a .gov has to be taken down, to get the US authorities
move their ass.
All the IRC networks are suffering from DoS attacks everyday.
A good week for an ISP hosting one of those reprensent 10 Gb of DoS
traffic, a bad one has been 80 Tb (last January).

Who's fault is it, if it has became that bad?

I would say that often uplink providers are not very reactive when it comes
to block DoS...
But DoS traffic is paid traffic, so why would they cut it, if it generate
revenues.
Often, they cut a bit of the attacks, so you are satisfied and happy they
did something... and then they just monitor the $$$ generated.

Also, I think not applying anti-spoofing filtering ("I know the networks I
own, so no outgoing traffic can come from other networks than mine.")
should be punished by law.
I am really waiting the first jurisprudence of that kind.
Then I think "brute-DoS" and basic DoStools as we see everywhere actually
will be much less common.

Philippe Bourcier