Re: DoS attacks, NSPs unresponsiveness

[John Fraizer <nanog () EnterZone Net>]

On Thu, 2 Nov 2000, Ariel Biener wrote:

>    As most of you know, some ISPs run irc servers, and provide an IRC
> service to the community. The service is free, and maintenance and cost of
> networking/hardware/human hours is on the ISPs expense.

This begs to question:  Why do they still do it? (Put the targets....er
IRC servers on their networks?)

> sometimes, some people pick up arms, and attack. The attacks usually take
> out whole ISPs for hours, or days.

Why do people set their network up as a target?  I just don't understand.

>    The problem is that when trying to get help from the upstream provider
> (UUnet in this example), you either receive a negative answer, or you're
> just ignored completely. Thus, by terrorism, people get what they want,
> and hold you at a threat of force, without any ability to defend yourself.

While I agree that it is unprofessional for your contact at a provider to
ignore or be disrespectful of you regarding a DoS against an IRC server,
it is just a fact of life that attacks against commercial entities will be
treated with much higher priority than attacks against a non-revenue
producing "service."  Quite frankly, the pizza man comes in WAY above an
IRC server in my book.

>    Smurfing, icmp attacks, udp attacks, tcp synflooding (spoofed
> sources) are just a number of these weapons. The problem with alot of
> networking entities, be it ISPs, enterprises, and such, is that they allow
> spoofed packets to leave their network (i.e. do not check if the packets
> originate from within their netblocks before letting them leave their
> routers). 

Filtering scales best to ingress vs egress.  I agree that filtering should
be in place.  "Sanity checking" traffic from your downstream customers is
a lot smarter than simply hoping they're cluefull enough to block bogons
leaving their network though.

>    The question is, how can we defend ourselves, and why do the large NSPs
> turn a blind eye, and act as if it's not their concern ?

Quite frankly, unless the source of the attack lives on their network,
they bear no responsibility, period, the end.  They're providing
transit.  It's 1's and 0's with no discrimination.

>    Is there a chance that by helping one another, and by implementing
> Internet RFCs corrctly (rfc 1918 for example), we can contribute to the
> elimination of this kind of electronic terrorism ?


RFC1918 specifically addresses filtering routing information.  Not spoofed
addresses.  It states "routing information about private networks shall
not be propagated on inter-enterprise links, and packets with private
source or destination addresses should not be forwarded across such
links."  Notice the placement of "shall" and "should."

I'm not saying that you don't have a valid point.  Just that the RFC
doesn't specifically prohibit forwarding the packets.  Only routing
information about RFC1918 address space.

Now, in specific response to your question about eliminating electronic
terrorism, it is doubtful.  Doubtful that you'll ever: #1 spread enough
clue around. #2 get everyone to cooperate.


---
John Fraizer
EnterZone, Inc