Re: DDoS attacks

[Brad <brad () americanisp net>]

[snip]

> > > You initial email asked for AboveNet contact. Did you get some assistance
> > > and if so what was the resolution? This is very important for us to know
> > > so we can kind of keep track of cooperative ISPs and the ones that just
> > > ignore these problems.
> > And then what?  Suppose you had a list of non-cooperative ISPs?  What
> > then?  Experience has shown that the ISPs that don't care, won't care no
> > matter what you say or do (those who follow FIRST know I have a lot to say
> > on this matter, but have been holding back to give those non-cooperative
> > ISPs time to make matters right - we are now on day 5 of a continuous
> > non-spoofed 20Mb/sec dDoS attack :-)).  Convince me why a list of
> > non-cooperative ISPs is a thing that would help.
>
> Well, the way I see it this internet thing is new to a lot of companies. Some are finding out the hardway what works, 
> what doesn't. Quite a bit of the normal controls to prevent bad service, etc. are not in place.
>
> I'm sure you've heard of the Better Business Burea, The Chamber of Commerce, etc? Well, I wan't suggesting making a 
> list, I was suggesting he report his interaction with that company to you guys. This might allow NANOG to know how 
> this or that ISP is responding to requests. You can sit by and say experience has shown and you're right. However, 
> that is because no one is calling for any responsibility. There is no review and no drawbacks to acting with complete 
> disregard. Well, just reporting that I spoke with X ISP and they attempted to cooperate or they didn't care at all is 
> a small first step. If someone then took these reports and passed them to Boardwatch, or whatever the ISP might end 
> up answering to someone.
>
> There is quite a bit of helplessness and inaction going on when it comes to these types of situations and BIG ISP can 
> get away with whatever they want. Well, experience has shown that if you organize the "little" people can influence 
> the BIGGER.
> > -Hank
> > > Jon


Here are my thoughts on DDoS:

-The problem should not be addressed by going after the
originators of the attacks, rather a real-time targeting
system for those 'compromised' client computers with zombies
installed.  It seems to me that no matter the use, a
computer that is attached to a global network which is
compromised in such a way, should be forced to correct the
problem prior to continued participation in that network.

With that said- it also appears there are two steps which
need to be taken place for proper implementation of such a
system.  Detection and elimination.

As for the detection.  Well- that is the hard part.  As I
understand these zombies, they are just irc clients inbeded
in the compromised machine.  And nothing stops irc clients
from connecting on just about any port available, so
port-based scans or blocks is not going to cut it.
So- if we can not scan for compromised machines, we need to
be reactive to their attacts.  Finding out which IPs are
involved in a DDoS attack is not too hard.  Hell- just last
week I was hit by a DDoS of 220 individual IPs from
different networks.  All IPs were recorded for future use.
(and the target was a web server, not a IRC server/client)

How do we use this data to our advantage?  What can we do
with it to 'verify' a bad client?  Should there be a
time-limit for denial (for dynamically assigned members)?
Once a attack has started, what mechanisim can be in place
to stop it?

Clearly there are a lot of unanswered questions.  I hope
this post spins-off some constructive discussion.

---
Brad Baker
Director: Network Operations
American ISP
brad () americanisp net
+1 303 984 5700 x12
http://www.americanisp.net/