[snip]
You initial email asked for AboveNet contact. Did you get some assistance and if so what was the resolution? This is very important for us to know so we can kind of keep track of cooperative ISPs and the ones that just ignore these problems. And then what? Suppose you had a list of non-cooperative ISPs? What then? Experience has shown that the ISPs that don't care, won't care no matter what you say or do (those who follow FIRST know I have a lot to say on this matter, but have been holding back to give those non-cooperative ISPs time to make matters right - we are now on day 5 of a continuous non-spoofed 20Mb/sec dDoS attack :-)). Convince me why a list of non-cooperative ISPs is a thing that would help.
Well, the way I see it this internet thing is new to a lot of companies. Some are finding out the hardway what works, what doesn't. Quite a bit of the normal controls to prevent bad service, etc. are not in place.
I'm sure you've heard of the Better Business Burea, The Chamber of Commerce, etc? Well, I wan't suggesting making a list, I was suggesting he report his interaction with that company to you guys. This might allow NANOG to know how this or that ISP is responding to requests. You can sit by and say experience has shown and you're right. However, that is because no one is calling for any responsibility. There is no review and no drawbacks to acting with complete disregard. Well, just reporting that I spoke with X ISP and they attempted to cooperate or they didn't care at all is a small first step. If someone then took these reports and passed them to Boardwatch, or whatever the ISP might end up answering to someone.
There is quite a bit of helplessness and inaction going on when it comes to these types of situations and BIG ISP can get away with whatever they want. Well, experience has shown that if you organize the "little" people can influence the BIGGER.
-Hank
Jon
Here are my thoughts on DDoS: -The problem should not be addressed by going after the originators of the attacks, rather a real-time targeting system for those 'compromised' client computers with zombies installed. It seems to me that no matter the use, a computer that is attached to a global network which is compromised in such a way, should be forced to correct the problem prior to continued participation in that network. With that said- it also appears there are two steps which need to be taken place for proper implementation of such a system. Detection and elimination. As for the detection. Well- that is the hard part. As I understand these zombies, they are just irc clients inbeded in the compromised machine. And nothing stops irc clients from connecting on just about any port available, so port-based scans or blocks is not going to cut it. So- if we can not scan for compromised machines, we need to be reactive to their attacts. Finding out which IPs are involved in a DDoS attack is not too hard. Hell- just last week I was hit by a DDoS of 220 individual IPs from different networks. All IPs were recorded for future use. (and the target was a web server, not a IRC server/client) How do we use this data to our advantage? What can we do with it to 'verify' a bad client? Should there be a time-limit for denial (for dynamically assigned members)? Once a attack has started, what mechanisim can be in place to stop it? Clearly there are a lot of unanswered questions. I hope this post spins-off some constructive discussion. --- Brad Baker Director: Network Operations American ISP brad@americanisp.net +1 303 984 5700 x12 http://www.americanisp.net/