Greetings. Stoned koala bears drooled eucalyptus spit in awe as Sven Nielsen exclaimed:
On Wed, Nov 01, 2000 at 11:39:45PM -0500, John Fraizer put this into my mailbox:
This begs to question: Why do they still do it? (Put the targets....er IRC servers on their networks?)
Internet chat in it's various forms is what brings a lot of people to the net to begin with, and for most of these applications to work, *somebody* has to run a server, right? This ain't U*IX talk(1). For a lot of ISPs, IRC is another means of getting the exposure and "brand recognition" that brings both residential and commercial customers to them. It is extremely narrow-minded to only look at internet services that directly make you money. So you're a web hosting provider? Then screw all the dialup (l)users, right? I don't make money directly off them. It doesn't matter that the majority of the people that hit my web farm are on dialup lines, I don't ever see any of the money that they pay their providers, so screw them, screw them all, right? Is this the way we should look at things?
Any high-profile site is a target. How about you ask that same question of Yahoo, eBay, CNN, or any of the other sites that were massively attacked early this year? How about Slashdot, which seems to get attacked regularly? Maybe they'll realize that they're setting themselves up as targets by being so popular and will shut down simply to protect the networks that host them.
Yes. While we are shutting down all these evil, bandwidth-eating IRC servers, let's shut down all of these 5kr1p+-k1dd13-attracting web sites as well. Let's make the internet a hell of a lot less useful to millions of people. Let's see if we still have jobs tomorrow when this happens.
While I agree that it is unprofessional for your contact at a provider to ignore or be disrespectful of you regarding a DoS against an IRC server, it is just a fact of life that attacks against commercial entities will be treated with much higher priority than attacks against a non-revenue producing "service." Quite frankly, the pizza man comes in WAY above an IRC server in my book.
Mr. Fraizer, how do you react when some dialup customer on one of your networks pisses off some script kiddie on IRC and they start sending 100Mbit of garbage at/through you? Do you tell the customer "Well, don't use IRC then?" I do network security for a very large Tier 1 provider and I get calls all the time from customers who are under attack for whatever reason. Lately, the popular way to do it seems to be to send tons of ICMP garbage to the IP of the terminal server that the victim is behind. I can just see it now: Customer: My circuit is being saturated by tons of ICMP garbage. Can you please do something to stop it before it gets to my pipe? I don't know what they did, but apparently one of my dialup users has pissed somebody off, for these attacks are aimed at my modem pool. Me: Nope, can't help you, sorry. Customer: Excuse me? Me: It's your own fault that you're getting attacked because you your customers use IRC. Now sit back and take your spanking. If you wish, I can have a sales representative contact you tomorrow if you feel you need more bandwidth. Customer: You've got to be kidding! Me: Nope, thank you, drive through. *click* See me sitting in the unemployment office the next day.
Something I've found in my time doing security work is that IRC provides an extremely useful 'early warning system'. What attacks and exploits get tried against IRC networks/servers today are the ones that are used against the internet at large tomorrow.
Yeah, you'd think that people would learn wouldn't you? But no, they don't attempt to fix something until it is directly affecting them. Of course, I was already aware of the Trinoo/etc attacks before CNN/etc got hit, thanks to BugTraq and IRC, and had already gotten the tools necessary to monitor my (then relatively small) network to ensure that such attacks didn't originate from me. If the rest of the internet had taken such measures, then the damage wouldn't have been anywhere near as bad as what it was.
I would strongly recommend that instead of berating people for 'setting themselves up as targets' you concentrate your efforts on curing the disease -- not the symptom. If for whatever reason some script kiddie decides to attack someone on your network, you won't be able to say "But I'm not running an IRC server!" and expect the attack to go away. You'll have to deal with it, the same way us folks who participate in the 'early warning system' have had to for quite some time now.
Well Sven, I think the days of the internet being self-policing are long gone. Remember back when if you sent out a complaint about somebody probing your machine, you actually got a human reply? Not anymore. I send out lots of these every month and most of the time, I don't even get an autoreply, much less a human response. Attempting to contact somebody via telephone usually proves to be an exercise in futility as well. Somebody mentioned in this thread that the Government needed to get involved to regulate the industry. Is this really what you want? Personally, I prefer it if the (US) government kept it's hands out of my business as much as possible. I feel that if/when the government *does* step in, we will all find the internet to be a much less useful (and therefore less profitable) place to be. Not to mention the difficulty the government would have enforcing such laws on an international medium. Ingress-egress filtering would be a major step forward, but also, cooperation between providers so we can nip the problem "in the bud." After all, the less malicious (l)users we have on the net, the less likely we will have malicious packets crossing our routers that we must filter. If I send an email saying "somebody from $ip_address at $time, $timezone was doing $malicious_activity" and in fact $ip_address is under your control or under your customers control, I expect you to do something about it, and I expect you to inform me of what you have done. Unless a court order is involved, I don't expect to ever learn the identity of the problem user, just that he/she has been dealt with appropriately. Do I get this? Nowhere near as often as I should. Why not? It's simple, more likely than not, the ISP in question is not making any money from me, and therefore feels as though that they need not listen to me or deal with my complaint. But, on the same note, I guarantee that if somebody from *my* network does the same exact thing to *his* machine or *his* customer, I would be hearing about it. I am thinking about putting up a "Wall of Shame" that lists those ISPs (especially large ones) who ignore abuse complaints that come from my company. I may even start posting this to NANOG just so we know who's lame and who isn't. Jeff -- "For competitive reasons we can't tell you the location of our fiber." -- An anonymous representative of a very large telco "For competitive reasons we can't tell you the location of our backhoe." -- An anonymous representative of a contractor.