Re: DDoS attacks

[Brad <brad () americanisp net>]

On Thu, 12 Jul 2001 up () 3 am wrote:

> On Thu, 12 Jul 2001, Brad wrote:
>
> > Here are my thoughts on DDoS:
> >
> > -The problem should not be addressed by going after the
> > originators of the attacks, rather a real-time targeting
> > system for those 'compromised' client computers with zombies
>
> I think this approach, while helpful, isn't going to solve anything.  I
> seem to recall an RBL of sorts (Denninger?) for networks that had routers
> that allowed directed broadcasts, and thus smurf attacks.  Cisco also
> (finally) put it in their default config.

Thanks for the post James.

Well- I think we are dealing with different issues which
seem to change things a bit..  Putting in 'no ip
directed-broadcast' in a cisco interface is a one-time quick
and easy fix for all of those problems.  Therefore- calling
the admin of a network who is allowing directed broadcasts,
and even helping them to fix it for good, has been a good
and easy task.  However, the problem here is not-so easy to
take care of on the provider(s) end.  I tend to see this
problem more-like open-relay issues.  A open-relay SMTP
server is just-as much a pain in the rear as a compromised
windoze box (if not more) and we have several ways to combat
open-relay issues currently through various testing and
filtering systems.

> Problem solved?  Well, smurf attacks are down, but DDoS attacks are way
> up.  Why?  Well, you can put a big part of the blame on M$, but my guess
> is that many of the same perpetrators of those smurf attacks are now
> operating these bots.  I can't help but believe that if even 20% of them
> were caught and had to spend just a little time (even hours) with the
> cops, and had their peecees confiscated, you'd not be seeing nearly the
> problems we are now.

I would agree that if we actually caught and punished the
attackers, the number of attacks would go down..  But there
are a lot of issues with doing that.  You have to wait till
the attacker actually takes down and causes $$ damages to
your network/company prior to even being looked at by a
court.  In this industry, many companies may not survive
long if such an attack took place, and would most likely not
be able to front attorney fees to go after a 15-year old who
could questionably be tried and punished after the fact.

> Yes, going after vulnerabilities are good, but you'll never get them all.
> If you were to go after the source of the attacks, and just got enough to
> demonstrate that this is a much riskier activity than it is now, I think
> it would be much more effective.

I like your feedback. Maybe we can do both :)

> 7-11's aren't built like banks, but those cameras (and tanacious
> investigations) have drastically reduced holdups.

I dont know ;)  They both have non-removable time-lock
safes, security systems, cameras, magnetic-locking doors,
panic-buttons, etc, etc...  :)

> James Smallacombe                   PlantageNet, Inc. CEO and Janitor
> up () 3 am                                                        http://3.am


---
Brad Baker
Director: Network Operations
American ISP
brad () americanisp net
+1 303 984 5700 x12
http://www.americanisp.net/