From: up@3.am [mailto:up@3.am] Sent: Thursday, July 12, 2001 7:23 AM
I can't help but believe that if even 20% of them were caught and had to spend just a little time (even hours) with the cops, and had their peecees confiscated, you'd not be seeing nearly the problems we are now.
This is the main point, a script-kiddie hunt, with prosecution, is the ONLY real deterrent. Throw some of them in hotel greybar and remove them from computing, for life, and we may see some of this turn around. If a lady wears skimpy clothing, does she deserve to get raped? Obviously, not. If a computer has skimpy protection, does it deserve to be turned into a zombie? Simply because you forget to lock your car one night (whilst in your driveway), do you deserve to have it stolen? If you leave a $100 on your kitchen table, in your unlocked house, whilst you are working in your garage, do I have the right to sneak in the back door and take it while avoiding prosecution, on the grounds that you were careless? WRT EFFnet, does a prostitute deserve to be raped? There are certain reasonable presumptions, like safety, that our society affords us. Script kiddies violate those as do the slime-bags that argue for their good. How much of our budgets have gone to protecting ourselve from those rodents? How much revenue has been lost because of their activity? They are the rats of the Internet and bring disease with them whereever they go. Their population is growing to plague proportions and they are getting bolder. It's long past time to poison the lot of them, including their supporters. Personally, I feel that the crud that writes and releases their code for them should be lobotomized. Regardless of their disclaimers, they are NOT doing a public good.
On Thu, 12 Jul 2001, Roeland Meyer wrote:
From: up@3.am [mailto:up@3.am] Sent: Thursday, July 12, 2001 7:23 AM
I can't help but believe that if even 20% of them were caught and had to spend just a little time (even hours) with the cops, and had their peecees confiscated, you'd not be seeing nearly the problems we are now.
This is the main point, a script-kiddie hunt, with prosecution, is the ONLY real deterrent. Throw some of them in hotel greybar and remove them from computing, for life, and we may see some of this turn around.
I am just concerned about our current legal systems being able to handle such cases efficently. Well.. Perhaps I should not use 'legal systems' and 'efficently' in the same sentence, but you get the idea ;) Think SPAM here. It has been discussed in the past, and I have a few users who have been victims of SPAM-zombies (or the like). This is not too much different. I got abuse reports from several different sources about SPAM originating from a customer of ours who has been with us for four years so I questioned stuff. Turns out they had a similar zombie designed to SPAM. Their fault? No. Should I have placed filters on their IP? Yes. It was a choice to deny one person service till the problem was corrected for a short time, or to have the rest of the internet community suffer. Also- dealing with attackers from other countries (and taking them to court) can be a serious and costly issue.
If a lady wears skimpy clothing, does she deserve to get raped? Obviously, not. If a computer has skimpy protection, does it deserve to be turned into a zombie? Simply because you forget to lock your car one night (whilst in your driveway), do you deserve to have it stolen? If you leave a $100 on your kitchen table, in your unlocked house, whilst you are working in your garage, do I have the right to sneak in the back door and take it while avoiding prosecution, on the grounds that you were careless? WRT EFFnet, does a prostitute deserve to be raped?
Agreed. They do not deserve it. However, by the time their machine(s) are comprmised, the damage has been done.
There are certain reasonable presumptions, like safety, that our society affords us. Script kiddies violate those as do the slime-bags that argue for their good. How much of our budgets have gone to protecting ourselve from those rodents? How much revenue has been lost because of their activity? They are the rats of the Internet and bring disease with them whereever they go. Their population is growing to plague proportions and they are getting bolder. It's long past time to poison the lot of them, including their supporters.
I wish I had the $$ to take them all to court (even some of them in other countries).
Personally, I feel that the crud that writes and releases their code for them should be lobotomized. Regardless of their disclaimers, they are NOT doing a public good.
In a perfect world, we would not need hardened-steel-reenforced safes for our money and 128-bit SSL encryption to make online orders. All of our efforts and attempts to bring order to a chaotic society will be tested again and again by members of that society. So- while I agree with your intentions- staying ahead of the game is probably the most efficent way to 'win'. Hence BugTraq and the like. Sure- posting code to bugtraq which gives remote root access to 10% of DNS servers on the planet also puts that code in the hands of individuals who do not deserve it. However, and even better-yet, it puts it in the hands of those who need it most. --- Brad Baker Director: Network Operations American ISP brad@americanisp.net +1 303 984 5700 x12 http://www.americanisp.net/
Speaking of DDOS attacks, there seems to be one going on associated with the NANOG list. I was wondering if anyone could offer insite. At my work address, I have received the same email from NANOG about every 10 - 15 minutes. I have received hundreds of copies of this email. Yet at this address I do not receive the repeated copies (and no one else on the list appears to have complained). If I look at the header of the email, the last hop, if I am reading it correctly, is named "zombie.la.interpacket.net" by mrbig.la.interpacket.net. I have since unsubscribed from NANOG from my work address yet still receive the emails. Also, this has been going on for over a week (since a rule filters all my nanog email into a folder, it has not bothered me too much) - every few days, the email that I am repeatedly hit with changes. Currently, the email I am being hit with is "OT: The End of Empire." Below I have pasted the header of the email I would be curious to hear people's thoughts about this. Is this a type of a DDOS? Anyone familiar with it? -B Received: from XXXX ([165.135.0.253]) by XXXX; Thu, 12 Jul 2001 16:01:40 -0400 Received: by XXXX; id QAA14070; Thu, 12 Jul 2001 16:01:38 -0400 (EDT) Received: from unknown(198.108.1.26) by XXXX via smap (V5.5) id xmaa13982; Thu, 12 Jul 01 16:00:42 -0400 Received: by trapdoor.merit.edu (Postfix) id BB70F91231; Tue, 10 Jul 2001 14:35:31 -0400 (EDT) Delivered-To: nanog-outgoing@trapdoor.merit.edu Received: by trapdoor.merit.edu (Postfix, from userid 56) id 896EB91251; Tue, 10 Jul 2001 14:35:31 -0400 (EDT) Delivered-To: nanog@trapdoor.merit.edu Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by trapdoor.merit.edu (Postfix) with ESMTP id 83A3791231 for <nanog@trapdoor.merit.edu>; Tue, 10 Jul 2001 14:35:29 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 79E335DE1A; Tue, 10 Jul 2001 14:36:58 -0400 (EDT) Delivered-To: nanog@merit.edu Received: from bond.interpacket.net (us-la-gate.interpacket.net [209.198.223.250]) by segue.merit.edu (Postfix) with SMTP id ECF9A5DDD8 for <nanog@merit.edu>; Tue, 10 Jul 2001 14:36:57 -0400 (EDT) Received: (qmail 31855 invoked from network); 10 Jul 2001 18:35:43 -0000 Received: from mrbig.la.interpacket.net (192.168.6.5) by bond.la.interpacket.net with SMTP; 10 Jul 2001 18:35:42 -0000 Received: from [192.168.4.53] (zombie.la.interpacket.net [192.168.4.53]) by mrbig.la.interpacket.net with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id N6TNP8LB; Tue, 10 Jul 2001 11:39:32 -0700 Mime-Version: 1.0 X-Sender: mikey@popmail.la.interpacket.net Message-Id: <a05010406b770fb74762d@[192.168.4.53]> Date: Tue, 10 Jul 2001 11:35:52 -0700 To: nanog@merit.edu From: Mikey Wilsker <mikey@interpacket.net> Subject: OT: The End of Empire Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-nanog@merit.edu Precedence: bulk Errors-To: owner-nanog-outgoing@merit.edu X-Loop: nanog __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
At 08:45 AM 7/12/01 -0700, Roeland Meyer wrote:
This is the main point, a script-kiddie hunt, with prosecution, is the ONLY real deterrent. Throw some of them in hotel greybar and remove them from computing, for life, and we may see some of this turn around.
If a lady wears skimpy clothing, does she deserve to get raped? Obviously, not. If a computer has skimpy protection, does it deserve to be turned into a zombie? Simply because you forget to lock your car one night (whilst in your driveway), do you deserve to have it stolen? If you leave a $100 on your kitchen table, in your unlocked house, whilst you are working in your garage, do I have the right to sneak in the back door and take it while avoiding prosecution, on the grounds that you were careless? WRT EFFnet, does a prostitute deserve to be raped?
By the way, for those who care, there are relatively easy ways to fight DoS attacks: * use netflow and a bunch of scripts to detect them automatically * use BGP to block them on all your border routers instantly, based on destination * use BGP and Unicast RPF to block them on all your border routers instantly, based on source, if you really need to With a combination of all that, you can automatically block any major attack at your border. Is it scalable? Yes. What about false alarms? We have implemented the detection bit. With a bit of tuning, we get 0.1% of false alarms and yet catch an average of 15 attacks per day, above 500 pkts/s (up to 10000s pkts/s). I wouldnt be surprised if Tier1 networks would catch much more attacks than that, with the same tool. My point: block automatically 99% of the DoS attacks at the top 10 transit providers level, and we may see DoS attacks be a thing of the past. "Kiddies only do it because they can". DH. ___________________________________________________________________ * * David Harmelin Network Engineer * * DANCERT Representative * Francis House * 112 Hills Road Tel +44 1223 302992 * Cambridge CB2 1PQ Fax +44 1223 303005 D A N T E United Kingdom WWW http://www.dante.net ____________________________________________________________________
On Thu, 12 Jul 2001, David Harmelin wrote:
At 08:45 AM 7/12/01 -0700, Roeland Meyer wrote:
This is the main point, a script-kiddie hunt, with prosecution, is the ONLY real deterrent. Throw some of them in hotel greybar and remove them from computing, for life, and we may see some of this turn around.
If a lady wears skimpy clothing, does she deserve to get raped? Obviously, not. If a computer has skimpy protection, does it deserve to be turned into a zombie? Simply because you forget to lock your car one night (whilst in your driveway), do you deserve to have it stolen? If you leave a $100 on your kitchen table, in your unlocked house, whilst you are working in your garage, do I have the right to sneak in the back door and take it while avoiding prosecution, on the grounds that you were careless? WRT EFFnet, does a prostitute deserve to be raped?
By the way, for those who care, there are relatively easy ways to fight DoS attacks: * use netflow and a bunch of scripts to detect them automatically * use BGP to block them on all your border routers instantly, based on destination * use BGP and Unicast RPF to block them on all your border routers instantly, based on source, if you really need to
With a combination of all that, you can automatically block any major attack at your border.
Sorry- but after doing all of that, DDoS attacks still saturate even the largest circuits- thus denying the service.
Is it scalable? Yes.
Until the CPU overhead from netflow knocks out the router(s) from a mass-attack.
What about false alarms? We have implemented the detection bit. With a bit of tuning, we get 0.1% of false alarms and yet catch an average of 15 attacks per day, above 500 pkts/s (up to 10000s pkts/s). I wouldnt be surprised if Tier1 networks would catch much more attacks than that, with the same tool.
My point: block automatically 99% of the DoS attacks at the top 10 transit providers level, and we may see DoS attacks be a thing of the past. "Kiddies only do it because they can".
DH.
___________________________________________________________________ * * David Harmelin Network Engineer * * DANCERT Representative * Francis House * 112 Hills Road Tel +44 1223 302992 * Cambridge CB2 1PQ Fax +44 1223 303005 D A N T E United Kingdom WWW http://www.dante.net ____________________________________________________________________
--- Brad Baker Director: Network Operations American ISP brad@americanisp.net +1 303 984 5700 x12 http://www.americanisp.net/ Fortune-- I will always love the false image I had of you.
On Thu, 12 Jul 2001, Brad wrote:
Sorry- but after doing all of that, DDoS attacks still saturate even the largest circuits- thus denying the service.
It is not perfect, but it does help. Of course there are those who take the approach "it is not a perfect solution so we will not bother filtering anything at all". -Dan
On Thu, 12 Jul 2001, Dan Hollis wrote:
On Thu, 12 Jul 2001, Brad wrote:
Sorry- but after doing all of that, DDoS attacks still saturate even the largest circuits- thus denying the service.
It is not perfect, but it does help.
Of course there are those who take the approach "it is not a perfect solution so we will not bother filtering anything at all".
Well- I have a little experience with this, and from that experience I have noticed that DDoS attacks can often saturate the circuits to the point of BGP failure. Of course- null-routing the target address does help with the CPU overhead a little.. However the service is effectivly shut off by that point anyway.
-Dan
--- Brad Baker Director: Network Operations American ISP brad@americanisp.net +1 303 984 5700 x12 http://www.americanisp.net/
One important notice - most of this kiddies are not from USA. ----- Original Message ----- From: "Roeland Meyer" <rmeyer@mhsc.com> To: <up@3.am>; <nanog@merit.edu> Sent: Thursday, July 12, 2001 8:45 AM Subject: RE: DDoS attacks
From: up@3.am [mailto:up@3.am] Sent: Thursday, July 12, 2001 7:23 AM
I can't help but believe that if even 20% of them were caught and had to spend just a little time (even hours) with the cops, and had their peecees confiscated, you'd not be seeing nearly the problems we are now.
That's obviously a big issue, but not unaddressable...most countries have laws against this sort of thing. At some point, somebody's going to deal with an unresponsive government by blackholing entire regions...certain APNIC blocks come to mind. Any network where DDoS perpetrators can operate with impunity will eventually be considered too dangerous to NOT blackhole. We haven't arrived at that point yet because A) DDoS attacks haven't gotten so out of hand that it's stopping big businesses in their tracks continuously (but it may, soon) and B) At this point, NONE of the governments (including the US) are sufficiently responsive to the point where any particular region could be blackholed (but this will change as point A changes) to any effect. On Thu, 12 Jul 2001, Alexei Roudnev wrote:
One important notice - most of this kiddies are not from USA.
----- Original Message -----
I can't help but believe that if even 20% of them were caught and had to spend just a little time (even hours) with the cops, and had their peecees confiscated, you'd not be seeing nearly the problems we are now.
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
On Thu, 12 Jul 2001 up@3.am wrote: [deleted]
On Thu, 12 Jul 2001, Alexei Roudnev wrote:
One important notice - most of this kiddies are not from USA.
How exactly did you get to this conclusion ?? The smarter script kiddies can crack systems in a few countries and use a few hops to get the place they installed the zombie master for example: <cracker> -> <Romania> -> <china> -> <Poland(DDoS master> Good luck to you tracing the attack to the cracker ;-) - Rafi -- Rafi Sadowsky rafi@cert.ac.il Network Operations Center |VoiceMail: +972-3-646-0592 FAX: +972-3-646-0454 ILAN - IUCC -I2(Israel) | FIRST-REP for ILAN-CERT(CERT@CERT.AC.IL) (Israeli Academic Network) | (PGP key -> ) http://telem.openu.ac.il/~rafi
----- Original Message -----
I can't help but believe that if even 20% of them were caught and had to spend just a little time (even hours) with the cops, and had their peecees confiscated, you'd not be seeing nearly the problems we are now.
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
// First of all; please, I use word Russia only because it reflect a lot of other countries such as east europe, Israel, latin america etc etc - which have edicated people but have not this idiosyncrasy about the law and order... Don't write about _terrignle russion hackers are damaged the whole word; I so such hackers in american movies only... First of all, people here (in USA) respect law, people in other countries does not. How often you are driving 100Mph? (Sorry, you are in Italy? I suspect your answer will be _yes, every day_. But if you was from USA, you (may be) never reach this speed because you respect law... For comparasion - in Russia (where there is a little of high quality roads) do it every day - they drive as fast as they can, not as it is posted...if They never are thinking about _the law_ - they are leaded by their own brains. So does the kiddies. But it's _common phylosophy_. On the other hand, I had a 2 years experience working (part time, I was a head of NOC) as a RU-CERT expert, tracing hackers, prosecuting them. We revealed 2 generation of our own _script kiddies_, traced a lot of different IRC's, maintained a few honey spots, etc etc... results? We saw a lot of different hackers, virtual or real ones, but we never saw any hacker from USA. After I come here and began to work here, I understood _why_ we saw so strange picture... Kiddies here _have something to lost_ - they have their education, their loans, their future plans. Kiddies in other countries have much more spare time, have nothing to lost, are not obligated to buy software (any software is FREE, do you know it? You don't think so? You can come to ANY computer market in any country out of USA and west europe, and you'll find ANY software by the price of 5$/600Mb... So, if some kiddy want to install MSVC, he need 1$ only - less than his lunch). I have not good statistic. Today, I saw a few articles about _honeyspots_ and _honeynets_, and I suspect this guys can collect some useful statistic. My impression was _guys in USA write something but does not use it for the wide intrusion; kiddies in Russia, Israel, Korea etc use this software to collect exploits, roots, accounts, credit cards over the world.... It is mostly games, but sometimes it became dangerous. IRC is another thing... It was, it is, it will be some kind of natural _honey pot_ for the hackers. So use it, don't fight it -:). ----- Original Message ----- From: "Rafi Sadowsky" <rafi-nanog@meron.openu.ac.il> To: <up@3.am> Cc: <nanog@merit.edu> Sent: Thursday, July 12, 2001 5:08 PM Subject: Re: DDoS attacks
On Thu, 12 Jul 2001 up@3.am wrote:
[deleted]
On Thu, 12 Jul 2001, Alexei Roudnev wrote:
One important notice - most of this kiddies are not from USA.
How exactly did you get to this conclusion ??
The smarter script kiddies can crack systems in a few countries and use a few hops to get the place they installed the zombie master for example:
<cracker> -> <Romania> -> <china> -> <Poland(DDoS master>
Good luck to you tracing the attack to the cracker ;-)
- Rafi
-- Rafi Sadowsky rafi@cert.ac.il Network Operations Center |VoiceMail: +972-3-646-0592 FAX: +972-3-646-0454 ILAN - IUCC -I2(Israel) | FIRST-REP for ILAN-CERT(CERT@CERT.AC.IL) (Israeli Academic Network) | (PGP key -> ) http://telem.openu.ac.il/~rafi
----- Original Message -----
I can't help but believe that if even 20% of them were caught and had to spend just a little time (even hours) with the cops, and had their peecees confiscated, you'd not be seeing nearly the problems we are now.
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
The main problem with this kiddies is not _law_. It is _communication between ISP_ and _their ability to trace something_. In theory, any attack can be traced to it's origins. You need is a lot of time, yoou need good IP accoounting, a few filters; then you need to find zombied computers and install your own trojans to trace back hackers who use this zombies. It is easy to do it in such ciountry as Russia - I always could call my collegues from another ISP, ask them something, ask computer owner to allow me installl my own software in his, zombied, system, etc etc. When this traces lead us out to the Europe, everything became slower but _yet_ possible (it was 2 or 3 years ago). When traces came into the USA, you was sticked with 800-th phone, _Enter your account number / all our representatives are busy / brainless support engineers of the first level and unability to find someone skilled / privacy concerns, etc etc... I can get a very good example here. A lot of kiddies used 'ftp.technotronyc.com' as a store for the trojan packets. If someone investigate logs of this ftp and look _where /I mean IP addresses/ linux trojan kit 3 (for example)_ was downloaded, he definetely had a chance to find approximately 100 - 200 zombied systems over the world (because every time _this particular hackers_ broke into some linux, they downloaded lrk3, sniffers and other toold directly from this ftp server). If someone install his own trojan into the pre-build sniffers , they could have a chance to receive a notificatuion about broken and sniffered systems over the world. Etc etc. Guess, if we ever could find any person from ftp.technotronic.com? of course, we could not... Just the same thing was about Exodus and home pages hackers keep on it - no any chance to been understood... We never asked to give us this information, we asked only to collect it and investigate it (and we never dream FBI can participate and help). Talking about _law_. I know Russion law, it's not problem to prosecute a hacker if you have an evidences. And you even don't need a lot of them. In my understanding, it's more communication problem, not legislation one and not technical one... Alex Roudnev. ----- Original Message ----- From: <up@3.am> To: <nanog@merit.edu> Sent: Thursday, July 12, 2001 1:07 PM Subject: Re: DDoS attacks
That's obviously a big issue, but not unaddressable...most countries have laws against this sort of thing. At some point, somebody's going to deal with an unresponsive government by blackholing entire regions...certain APNIC blocks come to mind. Any network where DDoS perpetrators can operate with impunity will eventually be considered too dangerous to NOT blackhole.
We haven't arrived at that point yet because A) DDoS attacks haven't gotten so out of hand that it's stopping big businesses in their tracks continuously (but it may, soon) and B) At this point, NONE of the governments (including the US) are sufficiently responsive to the point where any particular region could be blackholed (but this will change as point A changes) to any effect.
On Thu, 12 Jul 2001, Alexei Roudnev wrote:
One important notice - most of this kiddies are not from USA.
----- Original Message -----
I can't help but believe that if even 20% of them were caught and had to spend just a little time (even hours) with the cops, and had their peecees confiscated, you'd not be seeing nearly the problems we are now.
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
participants (8)
-
Alexei Roudnev -
Brad -
Dan Hollis -
David Harmelin -
Rafi Sadowsky -
Robert Cannon -
Roeland Meyer -
up@3.am