On Thu, 12 Jul 2001 up@3.am wrote:
On Thu, 12 Jul 2001, Brad wrote:
Here are my thoughts on DDoS:
-The problem should not be addressed by going after the originators of the attacks, rather a real-time targeting system for those 'compromised' client computers with zombies
I think this approach, while helpful, isn't going to solve anything. I seem to recall an RBL of sorts (Denninger?) for networks that had routers that allowed directed broadcasts, and thus smurf attacks. Cisco also (finally) put it in their default config.
Thanks for the post James. Well- I think we are dealing with different issues which seem to change things a bit.. Putting in 'no ip directed-broadcast' in a cisco interface is a one-time quick and easy fix for all of those problems. Therefore- calling the admin of a network who is allowing directed broadcasts, and even helping them to fix it for good, has been a good and easy task. However, the problem here is not-so easy to take care of on the provider(s) end. I tend to see this problem more-like open-relay issues. A open-relay SMTP server is just-as much a pain in the rear as a compromised windoze box (if not more) and we have several ways to combat open-relay issues currently through various testing and filtering systems.
Problem solved? Well, smurf attacks are down, but DDoS attacks are way up. Why? Well, you can put a big part of the blame on M$, but my guess is that many of the same perpetrators of those smurf attacks are now operating these bots. I can't help but believe that if even 20% of them were caught and had to spend just a little time (even hours) with the cops, and had their peecees confiscated, you'd not be seeing nearly the problems we are now.
I would agree that if we actually caught and punished the attackers, the number of attacks would go down.. But there are a lot of issues with doing that. You have to wait till the attacker actually takes down and causes $$ damages to your network/company prior to even being looked at by a court. In this industry, many companies may not survive long if such an attack took place, and would most likely not be able to front attorney fees to go after a 15-year old who could questionably be tried and punished after the fact.
Yes, going after vulnerabilities are good, but you'll never get them all. If you were to go after the source of the attacks, and just got enough to demonstrate that this is a much riskier activity than it is now, I think it would be much more effective.
I like your feedback. Maybe we can do both :)
7-11's aren't built like banks, but those cameras (and tanacious investigations) have drastically reduced holdups.
I dont know ;) They both have non-removable time-lock safes, security systems, cameras, magnetic-locking doors, panic-buttons, etc, etc... :)
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am
--- Brad Baker Director: Network Operations American ISP brad@americanisp.net +1 303 984 5700 x12 http://www.americanisp.net/