nanog mailing list archives
Re: On the back of other 'security' posts....
From: Matthew Sullivan <matthew () sorbs net>
Date: Sun, 31 Aug 2003 10:12:15 +1000
Jack Bates wrote:
Owen DeLong wrote: Again, I just don't see where an ISP can or should be held liable forforwarding what appears to be a correctly formatted datagram with a validdestination address. This is the desired behavior and without it, the internet stops working. The problem is systems with consistent and persistent vulnerabilities. One software company is responsible for most of these, and, that would be the best place to concentrate any litigation aimed at fixing the problem through liquidated damages.Most dDOS's come from bots. Bots are installed on all operating systems and all architectures. I'd be surprised if the packets are all spoofed. In most dDOS cases these days, they are real IP's and just a high number of bots.
From the traffic I've seen there are alot of bots - possibly a couple of 1000, however there are 2 distinct traffic types - spoofed and non spoofed.
The non spoofed is a pain, but easy to stop. I have been phoning ISPs NOCs getting them shutdown one by one.
The spoofed is the problem and when we are seeing 300k SYN pps coming from addresses 0.0.0.4 through 40.0.0.0 in .4 increments I think the traffic is spoofed rather than there being 10's of thousands of machines (especially from hosts like 0.0.0.4!)
The person responsible is the bot maintainer. Finding the controller medium (probably irc) is the hard part, but once done, monitoring who controls the bots isn't near as hard. Tracking them down can be abit of fun, but usually they get lazy about covering tracks at that point. A few media enriched prison sentences would be good.
Granted, however if we could get rid of most of the spoof attacks it would be a damn site easier to track them - I can tell you that the source is coming vi the SprintLink - Telecom NZ international link - however I cannot find out more on the other side of the pond without speaking to Sprint and I know noone there.
Yours Mat
Current thread:
- On the back of other 'security' posts.... Matthew Sullivan (Aug 30)
- Re: On the back of other 'security' posts.... cowie (Aug 30)
- Re: On the back of other 'security' posts.... Owen DeLong (Aug 30)
- Re: On the back of other 'security' posts.... Jack Bates (Aug 30)
- Re: On the back of other 'security' posts.... Richard Cox (Aug 30)
- Re: On the back of other 'security' posts.... Matthew Sullivan (Aug 30)
- RE: On the back of other 'security' posts.... Terry Baranski (Aug 30)
- RE: On the back of other 'security' posts.... Christopher L. Morrow (Aug 30)
- Re: On the back of other 'security' posts.... Matthew Crocker (Aug 31)
- Re: On the back of other 'security' posts.... Owen DeLong (Aug 31)
- Re: On the back of other 'security' posts.... Jack Bates (Aug 30)
- RE: On the back of other 'security' posts.... Owen DeLong (Aug 30)
- Re: On the back of other 'security' posts.... Richard Cox (Aug 31)
- Re: On the back of other 'security' posts.... Mans Nilsson (Aug 31)
- Re: On the back of other 'security' posts.... Paul Vixie (Aug 31)
- RE: On the back of other 'security' posts.... Stephen J. Wilcox (Aug 31)
- RE: On the back of other 'security' posts.... Terry Baranski (Aug 31)