Re: DDOS solution recommendation

[Owen DeLong <owen () delong com>]

> On Jan 11, 2015, at 05:07 , Mike Hammett <nanog () ics-il net> wrote:
>
> Why does it seem like everyone is trying to "solve" this the wrong way? 

Because it’s what we CAN do.

> Do other networks' abuse departments just not give a shit? Blackhole all of the zombie attackers and notify their 
> abuse departments. Sure, most of the owners of the PCs being used in these scenarios have no idea they're being used 
> to attack people, but I'd think that if their network's abuse department was notified, either they'd contact the 
> customer about it issue or at least have on file that they were notified. When the unknowing end-user reached out to 
> support over larger and larger parts of the Internet not working, they'd be told to clean up their system. 
>
> The way to stop this stuff is for those millions of end users to clean up their infected PCs. 

Agreed… However, let’s look at it from an economics perspective…

The average residential service provider doesn’t have the resources and doesn’t charge enough to build the resources to 
deal with this onslaught. It won’t be the service provider that the attacker blames for the initial few disconnections, 
it will be the websites in question.

So, let’s say XYZ.COM <http://xyz.com/> is a really popular site with lots of end-users. Some of those end-users are 
also unknowingly attacking XYZ.COM <http://xyz.com/>.

XYZ.COM <http://xyz.com/> black holes those customers (along with all the other zombies attacking them).

XYZ.COM <http://xyz.com/> gets angry calls from those customers and has no ability to contact the rest.
The rest don’t call their ISP or XYZ.COM <http://xyz.com/> because they don’t know that they are unsuccessfully trying 
to reach XYZ.COM <http://xyz.com/>, so they don’t see the problem.

Depending on hold times, etc., XYZ.COM <http://xyz.com/> loses some fraction of their customers (who instead of 
cleaning up their system, move into the second group who don’t care about the problem any more.) The rest may clean up 
their systems.

So, at the cost of some fraction of their customer base and a substantial burden on their call center, XYZ.COM 
<http://xyz.com/> has managed to clean up a relatively small percentage of systems, but accomplished little else.

I’m all for finding a way to do a better job of this. Personally, I’d like to see some sort of centralized clearing 
house where credible reporters of dDOS information could send some form of standardized (automated) report. The 
clearing house would then take care of contacting the responsible ISPs in a scaleable and useful manner that the ISPs 
could handle. Because the clearing house would be a known credible source and because they are providing the 
information in a way that the ISP can more efficiently utilize the information, it MIGHT allow the ISP to take 
proactive action such as contacting the user and addressing the problem, limiting the user’s ability to send dDOS 
traffic, etc.

However, this would require lots of cooperation and if such a clearing house were to evolve, it would probably have to 
start as a coalition of residential ISPs.

Owen