Re: DoS attacks, NSPs unresponsiveness (fwd)

["Christopher L. Morrow" <cmorrow () UU NET>]

Having seen Ariel's message today, and NOT seeing my original response to
his post (sent to him directly, did you NOT get this email Ariel?). I've
reposted this message.. my original response to Ariel and Rubens.

As to the others today, Steve Sobol, you too are not a UUNET direct
customer, BUT if you are under attack and your Upstream tracks this
traffic to UUNET have them follow the procedures outlined below and I will
track the attack.

UUNET DOES pay 4 people (six actually) to do nothing but stop and track
DoS attacks on its backbone... and we are quite good at it.

--Chris

#######################################################
## UUNET Technologies, Inc.                          ##
## Manager                                           ##
## Customer Router Security Engineering Team         ##
## (W)703-289-8479 (C)703-283-3734                   ##
#######################################################

---------- Forwarded message ----------
Date: Thu, 2 Nov 2000 20:02:48 -0500 (EST)
From: Christopher L. Morrow <cmorrow () uu net>
To: Ariel Biener <ariel () fireball tau ac il>, rkuhljr () uol com br
Cc: nanog () merit edu, amos rosenboim <slick () xchange wan inter net il>
Subject: Re: DoS attacks, NSPs unresponsiveness

Ariel and Rubens,
I'd like to address your concerns about UUNET NOT getting involved when
you networks (both downstreams of UUNET customers) are under attack.

In both of your cases I have personally, on more than one occasion,
contacted your upstream providers to inform them of proper contact
procedures for Live Attacks. To clarify those procedures for the 10th time
in a public forum, if you are under attack and your upstream is either
UUNET, or it's a customer of UUNET have the DIRECT CUSTOMER of UUNET Call
the UUNET Security/Fraud/Abuse Department and ask for a Rotuer
Engineer. The phone number is: 1-800-900-0241 options 2,3,1 or for those
that live outside the USA: 1-703-206-5440 options 2,3,1.

If you no one calls there can be no action taken... in the case of Rubens,
your upstream (Embratel, correct?) has been emailing attack notifications
and null routing your addresses. They have been told by me personally (I
spoke to an individual named 'Jorge' I believe) several times to call us
so we can stop and track the attack. I have 4 engineers dedicated to
dealing with DoS attacks on UUNET customers. We track several attacks per
day and are available 24/7.

I will not be held accountable for people's issues when they do NOT follow
the appropriate contact procedures. If you would like to talk with me
personally about this I invite you to call or email me directly as I'd be
more than happy to clarify anything I've written in this message, my
contact information is included for your convenience.

For the others on this list, if you are a UUNET customer you can call our
Security Department if you ever have any issues with security, DoS, fraud,
spam, or the like. If you are under DoS attack either one of my engineers
will stop and track the attack, or I will do it... it's what we get paid
to do. If you are NOT a UUNET customer you know that other ISP's (Tier 1's
atleast) do NOT filter attack traffic, and they do NOT track attacks. The
ONLY exceptions to this are: Genuity, Global Crossing and at one time
Verio.

--Chris

#######################################################
## UUNET Technologies, Inc.                          ##
## Manager                                           ##
## Customer Router Security Engineering Team         ##
## (W)703-289-8479 (C)703-283-3734                   ##
#######################################################

On Thu, 2 Nov 2000, Ariel Biener wrote:

>   Hi,
>
>
>
>    This e-mail comes to describe a common problem among a large number of
> ISPs, mostly foreign, when dealing with US network service providers. I
> don't want to talk about anyone I don't know of, so I will limit this
> initial e-mail to talking about UUnet.
>
>    As most of you know, some ISPs run irc servers, and provide an IRC
> service to the community. The service is free, and maintenance and cost of
> networking/hardware/human hours is on the ISPs expense.
>
>    Irc tends to be a volatile medium, like interpersonal relationships in
> real life. Thus, many times arguements turn into heated disputes, and
> sometimes, some people pick up arms, and attack. The attacks usually take
> out whole ISPs for hours, or days.
>
>    The problem is that when trying to get help from the upstream provider
> (UUnet in this example), you either receive a negative answer, or you're
> just ignored completely. Thus, by terrorism, people get what they want,
> and hold you at a threat of force, without any ability to defend yourself.
>
>    Smurfing, icmp attacks, udp attacks, tcp synflooding (spoofed
> sources) are just a number of these weapons. The problem with alot of
> networking entities, be it ISPs, enterprises, and such, is that they allow
> spoofed packets to leave their network (i.e. do not check if the packets
> originate from within their netblocks before letting them leave their
> routers). 
>
>    The question is, how can we defend ourselves, and why do the large NSPs
> turn a blind eye, and act as if it's not their concern ?
>
>    Is there a chance that by helping one another, and by implementing
> Internet RFCs corrctly (rfc 1918 for example), we can contribute to the
> elimination of this kind of electronic terrorism ?
>
>    Any chance a UUnet person might answer ?
>
>
> best regards,
>
> --Ariel
>
> --
> Ariel Biener
> e-mail: ariel () post tau ac il           Work phone: 03-6406086
> fingerprint = 07 D1 E5 3E EF 6D E5 82 0B E9 21 D4 3C 7D 8B BC