Re: Denial of service attacks apparently from UUNET Netblocks

[Joe Shaw <jshaw () insync net>]

On Mon, 6 Oct 1997, Phil Howard wrote:

> Steve Mansfield writes...
> > S'okay.  Have the feds subpoena UUNET for the connect logs for these
> > max'es.  UUNET keeps the logs and is capable, given the exact time of the
> > attack(s), of going through the logs, identifying exactly who it was, and
> > if it's one of their customers, giving the personal info to the feds.
> > If it's a reseller's customer, they can get the user info and forward it to
> > the reseller and inform the feds who they need to talk to for the personal
> > info.  Whoever it was is as good as nailed.
>
> Unless it was a stolen account.  With more and more "naive" users coming
> online, the chance of this kind of thing happening is greater and greater.
> You can shut off the account.  Feds can visit the home of whoever owns the
> account.  They can even be blocked from ever getting any account at any
> ISP for life.  But if this possibility is fact, you won't have the perp
> and they can attack again.

[SNIP]

> Phil Howard  +-------------------------------------------------------------+

Although this is all true, it still doesn't explain the fact that UUNet is
allowing broadcast packets through their network.  One would think that
with the recent increase in broadcast DoS attacks, that UUNet would have
taken a much more proactive stance.  But, being an outspoken UUNet
customer, and having experienced a DoS attack (by proxy, as they were
attacking one of our customers) a little over a week ago (all day Sunday,
Sept. 28th), I can say they definitely have done nothing but drag their
heels.  When we called, we were told we'd get to speak to a UUNet security
team member, and we did speak to them.  Then, a few hours later after our
10Minus connection went down several times and BGP reset countless times,
we finally got tired, and took the link to our customer down, reset BGP,
and the flooding stopped.  Unfortunately, UUNet hadn't taken the time to
do any packet captures while we were under attack, so they couldn't do
anything.  Finally at 12:00am Monday morning, we called in again, and
brought the link up.  We were told that there would be a member of the
security team paged and we would hear from him/her within the hour.  3
hours later after getting no response we shut the link down and went
home.  Later that day, at aprox. 12pm, I called UUNet security team,
and have heard nothing about the incident since I sent them what I
captured with the sniffer.  Unfortunately, the offending addresses were
probably forged, so without anyone to capture those packets and trace them
back, the person who took down our 10Mbps Ethernet connection to UUNet
gets away scott free.  I don't like that, and I find the level of service
I received again to be unsatisfactory.  If one of my customers was under
attack, and I acted with the same behaviour as UUNet, I would be searching
for another job right now.

With that aside, I'm glad my DS3 circuit stayed up.  Without it, we would
have been completely screwed.

Joe Shaw - jshaw () insync net
NetAdmin - Insync Internet Services