On Sun, 21 Jan 2001, Dan Hollis wrote:
By the time law enforcement has to be involved to convince a tier1 to shut off their ddos sources, it's far past the point of complicity and the preventable monetary damages have already occurred. You can bet someones going to get sued.
From what I can manage to make out of the thread, the impression I get is that people seem to believe that the Tier 1 (what constitutes a tier 1 anyway in todays world?) just needs to throw a switch and turn off a Ddos attack, but that they are too lazy to flip it.
Reality being a bit different, so lets check into what we have here. Reality has it that there are: several tens of thousands of customers, 100k+ interfaces for customers, all terminated on broken hardware that cannot line rate filter on all interfaces, 200k ibgp entries, entry point from several thousand peering interfaces, mostly at OC12 rates or higher, thousands of routers, a chronic shortage of staff because anyone who is any good at a customer facing role and dos/abuse are customer facing roles, tends to burn out and fade away very fast, normally up the engineering hierarchy, leaving the job to fresh new people, armed with inadequate experience and lacking tools to do the job. A DDoS attack by definition is a hard one to trace, no matter what people (vendors) would have you believe. Putting an acl to do a traceback? What do we put in the acl, some DDoS attacks involving 500+ machines, each being carefully rate limited to send a few packets, perhaps with different information in each? Maybe putting an acl on will crash the router, and the router cannot be code upgraded because a new and interesting interaction with the new train tickles some other bugs, causing hard crashes at random. The govt. agencies are involved often, but the fundamental problems of very large networks coupled with inadequate protocols and broken implementations make traceback of DDoS attacks _very hard_. This is not to say that some backbones aren't lazy about doing the job, I suspect that is mostly because the people doing the tracebacks have realized that it is almost impossible to do adequately with any chance of success and tend to ignore it. This is not a good thing, but this is what appears to be happening. On the other hand, people are beating on vendors to treat this problem seriously and give operators proper debugging abilities and better hardware. Also please realize that just turning off someone's circuit because some j. random person called up and claimed it was sourcing a DDoS attack is often prohibited by policy at various networks, and an exception must be made by senior mgmt in the chain. If every noc just started to turn off interfaces because of a phone call, the results are easy to imagine. /vijay