Hi, #This goes beyond spam and the resources that many mail servers are #using. These attacks are being directed at anti-spam organizations #today. Where will they point tomorrow? Many forms of breaking through #network security require that a system be DOS'd while the crime is being #committed. These machines won't quiet down after the blacklists are shut #down. They will keep attacking hosts. For the US market, this is a #national security issue. These systems will be exploited to cause havoc #among networks of all types and sizes; governmental and commercial. Note that not all DNSBLs are being effectively hit. DNSBLs which run with publicly available zone files are too distributed to be easily taken down, particularly if periodic deltas are distributed via cryptographically signed Usenet messages (or other "push" channels). You can immunize DNSBLs from attack, *provided* that you're willing to publicly distribute the contents of those DNSBLs. And when it comes to dealing with the sources of these attacks, we all know that there are *some* networks where security simply isn't any sort of priority. (For example, make it a practice to routinely see what ISPs consistently show up highly ranked on incident summary sites such as http://www.mynetwatchman.com/ ). Maybe the folks running those networks are overworked and understafffed, maybe they have legal constraints that limit what they can do, maybe their management just don't care as long as they keep getting paid. Who knows? Whatever the reason, no one is willing to depeer them or filter their routes, so they really are free to do absolutely *nothing* about vulnerable hosts or abusive customers. There are absolutely *no* consequences to their security inactivity, and because of that, none of us should be surprised that the problem is becoming a worsening one. Regards, Joe St Sauver (joe@oregon.uoregon.edu) University of Oregon Computing Center
On Tue, 23 Sep 2003, Joe St Sauver wrote:
There are absolutely *no* consequences to their security inactivity, and because of that, none of us should be surprised that the problem is becoming a worsening one.
china seems hellbent on becoming a LAN. i see the same thing eventually happening to networks which refuse to deal with their ddos sources. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Tue, 23 Sep 2003 14:15:48 PDT, Dan Hollis said:
china seems hellbent on becoming a LAN. i see the same thing eventually happening to networks which refuse to deal with their ddos sources.
Well.. that's all fine and good, except we first need one large player to put their foot down and say "That's enough of this manure, we're depeering you and blocking your prefixes till you clean up your act". Once *one* big player does that, your "eventually happening" will be pretty fast.
But what's the business case for doing so? Unless enough of their customers are pissed off, it's not going to happen. Most users don't know enough about it to complain to their provider so it becomes a bottom line issue. On Tue, 23 Sep 2003 Valdis.Kletnieks@vt.edu wrote:
Well.. that's all fine and good, except we first need one large player to put their foot down and say "That's enough of this manure, we're depeering you and blocking your prefixes till you clean up your act".
Once *one* big player does that, your "eventually happening" will be pretty fast.
On Tuesday, Sep 23, 2003, at 17:32 Canada/Eastern, Valdis.Kletnieks@vt.edu wrote:
On Tue, 23 Sep 2003 14:15:48 PDT, Dan Hollis said:
china seems hellbent on becoming a LAN. i see the same thing eventually happening to networks which refuse to deal with their ddos sources.
Well.. that's all fine and good, except we first need one large player to put their foot down and say "That's enough of this manure, we're depeering you and blocking your prefixes till you clean up your act".
Once *one* big player does that, your "eventually happening" will be pretty fast.
In my recent experience, many, many network operators in North America and Europe who are really, really bad at tracking back source-spoofed DDoS traffic through their networks (there are also some notable, fine exceptions I've dealt with recently, who know who they are and should not feel slighted by this generality). If transit was uniformly denied to every operator who was not equipped to deal with DDoS tracking in a timely manner, I think 90% of the Internet would disappear immediately. This is not just an Asian problem. (Incidentally, I think if one big player suddenly decided to throw away the millions of dollars of revenue they earn through providing transit to east Asian countries, the likely effect would be another grateful big player leaping in to take over. I don't see a future in which the well-being of users in other peoples' networks trumps income.) Joe
On Tue, 23 Sep 2003, Joe Abley wrote:
If transit was uniformly denied to every operator who was not equipped to deal with DDoS tracking in a timely manner, I think 90% of the Internet would disappear immediately.
it gets worse. there are operators who *are* equipped, but refuse to deal not only with ddos tracking but with shutting off confirmed sources within their networks. the response is 'we will deal with it when we get a subpoena'. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Dan Hollis wrote:
china seems hellbent on becoming a LAN. i see the same thing eventually happening to networks which refuse to deal with their ddos sources.
This invites the question if the hijacked PC or the hijacker in the sunshine state is more guilty of the spam and ddos? I would expect disconnecting .fl.us have more positive effect to the Internet as whole than would .cn. Pete
On Wed, 24 Sep 2003, Petri Helenius wrote:
Dan Hollis wrote:
china seems hellbent on becoming a LAN. i see the same thing eventually happening to networks which refuse to deal with their ddos sources. This invites the question if the hijacked PC or the hijacker in the sunshine state is more guilty of the spam and ddos?
the operator hosting the hijacked PC is guilty if they are notified and refuse to take action. which seems to be all too common these days with universities and colocation companies. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Dan Hollis wrote:
the operator hosting the hijacked PC is guilty if they are notified and refuse to take action. which seems to be all too common these days with universities and colocation companies.
In many cases they also are incompetent or incapable of taking action since there is hardly any "Disconnecting abusers for dummies" books on the shelf. Not that incompetence would work too well as defence, but you would have to take it that far or have some way of getting the abusers off the network without waiting for the slow and incompetent and deal with the consequences of mistakes later. Pete
http://www.openrbl.org is also offline due to a DDoS. ---Mike At 05:04 PM 23/09/2003, Joe St Sauver wrote:
Hi,
#This goes beyond spam and the resources that many mail servers are #using. These attacks are being directed at anti-spam organizations #today. Where will they point tomorrow? Many forms of breaking through #network security require that a system be DOS'd while the crime is being #committed. These machines won't quiet down after the blacklists are shut #down. They will keep attacking hosts. For the US market, this is a #national security issue. These systems will be exploited to cause havoc #among networks of all types and sizes; governmental and commercial.
Note that not all DNSBLs are being effectively hit. DNSBLs which run with publicly available zone files are too distributed to be easily taken down, particularly if periodic deltas are distributed via cryptographically signed Usenet messages (or other "push" channels). You can immunize DNSBLs from attack, *provided* that you're willing to publicly distribute the contents of those DNSBLs.
And when it comes to dealing with the sources of these attacks, we all know that there are *some* networks where security simply isn't any sort of priority. (For example, make it a practice to routinely see what ISPs consistently show up highly ranked on incident summary sites such as http://www.mynetwatchman.com/ ).
Maybe the folks running those networks are overworked and understafffed, maybe they have legal constraints that limit what they can do, maybe their management just don't care as long as they keep getting paid. Who knows? Whatever the reason, no one is willing to depeer them or filter their routes, so they really are free to do absolutely *nothing* about vulnerable hosts or abusive customers.
There are absolutely *no* consequences to their security inactivity, and because of that, none of us should be surprised that the problem is becoming a worsening one.
Regards,
Joe St Sauver (joe@oregon.uoregon.edu) University of Oregon Computing Center
On 9/23/2003 at 5:16 PM, "Mike Tancsa" <mike@sentex.net> wrote:
is also offline due to a DDoS.
And the ignorance of front-end personnel in LE agencies, unless you are the NY Times and claim $500,000 in purely fictious damages, can be a bit frustrating. Spamcop and Spamhaus have been undergoing intense DDoS attacks for months, and I am only partially aware how they are being mitigated. If certain large operators can donate bandwidth and equipment for IRC servers in locations with OC-12 and better connectivity, AND live through the DDoS attacks that come with it, why not step forward and provide some forwarding-proxy service for some of the websites and distribution sites for DNSBLs, plus possibly proxying DNS traffic? OpenRBL.org has stated (http://www.openrbl.org/index-2.htm) that the bandwidth required for actual application traffic can be very low (0.5Mbps or less), not counting DDoS traffic. No arrangements of that kind have to be public knowledge. Other measures: - Got a spare /20 that can be used to make the forwarding proxy hop around a bit, every 5 minutes or so, with DNS TTLs in the 10-minute range? It's been done with 'moving-target' spamvertised sites like optinspecialists.info , which is currently using a LARGE number of compromised Windows hosts illegally to proxy DNS and HTTP traffic for them. They've been doing it for weeks. Do the registrars care? Hell no. (see morozreg.biz, bubra.biz, the domains used for DNS, domains you probably want to add local zone overrides for, in your nameservers, not your HOSTS file. Now we know how Al-Quaeda is hiding their websites, at last. It would be trivial to 'sinkhole' DoS traffic still going on to IPs of the recent past, greatly increasing the chances of catching the perpetrators as they keep switching their trojans to new IPs, hitting a few fully-sniffed honeypots while they are at it. - BGP anycast, ideally suited for such forwarding proxies. Anyone here feeling very adapt with BGP anycast (I don't) for the purpose of running such a service? This is a solution that has to be suggested and explained to some of the DNSBL operators. If someone reading this has gone forward with a private mailing list to discuss all these issues, I'd be happy to receive an invitation to donate my [lack of] smarts to the cause. bye,Kai
--On Tuesday, September 23, 2003 6:11 PM -0400 Kai Schlichting <kai@pac-rim.net> wrote:
- BGP anycast, ideally suited for such forwarding proxies. Anyone here feeling very adapt with BGP anycast (I don't) for the purpose of running such a service? This is a solution that has to be suggested and explained to some of the DNSBL operators.
Anyone want to offer hardware, colo, bandwidth and a bgp session for a dnsbl anycast solution?
On Tue, 23 Sep 2003, John Payne wrote:
--On Tuesday, September 23, 2003 6:11 PM -0400 Kai Schlichting <kai@pac-rim.net> wrote:
- BGP anycast, ideally suited for such forwarding proxies. Anyone here feeling very adapt with BGP anycast (I don't) for the purpose of running such a service? This is a solution that has to be suggested and explained to some of the DNSBL operators. Anyone want to offer hardware, colo, bandwidth and a bgp session for a dnsbl anycast solution?
they still make static targets for ddos, the only difference is theres a few more of them. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
--On Tuesday, September 23, 2003 4:56 PM -0700 Dan Hollis <goemon@anime.net> wrote:
On Tue, 23 Sep 2003, John Payne wrote:
--On Tuesday, September 23, 2003 6:11 PM -0400 Kai Schlichting <kai@pac-rim.net> wrote:
- BGP anycast, ideally suited for such forwarding proxies. Anyone here feeling very adapt with BGP anycast (I don't) for the purpose of running such a service? This is a solution that has to be suggested and explained to some of the DNSBL operators. Anyone want to offer hardware, colo, bandwidth and a bgp session for a dnsbl anycast solution?
they still make static targets for ddos, the only difference is theres a few more of them.
Yep
Kai Schlichting wrote:
On 9/23/2003 at 5:16 PM, "Mike Tancsa" <mike@sentex.net> wrote:
- BGP anycast, ideally suited for such forwarding proxies. Anyone here feeling very adapt with BGP anycast (I don't) for the purpose of running such a service? This is a solution that has to be suggested and explained to some of the DNSBL operators.
If someone reading this has gone forward with a private mailing list to discuss all these issues, I'd be happy to receive an invitation to donate my [lack of] smarts to the cause.
I'm trying to get the funds together to create a free for free DNSbls anycast network, however it's not cheap, and the idea hosters are not gonna do it for free. / Mat
Hi Matthew,
If someone reading this has gone forward with a private mailing list to discuss all these issues, I'd be happy to receive an invitation to donate my [lack of] smarts to the cause.
I'm trying to get the funds together to create a free for free DNSbls anycast network, however it's not cheap, and the idea hosters are not gonna do it for free.
I am sure there are plenty of people on the list willing to support this. Bye, Raymond.
Hi!
is also offline due to a DDoS.
The official announcememt can be read here: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&newwindow=1&safe=off&selm=vn1lufn8h6r38%40corp.supernews.com Bye, Raymond.
Joe St Sauver wrote:
Note that not all DNSBLs are being effectively hit. DNSBLs which run with publicly available zone files are too distributed to be easily taken down, particularly if periodic deltas are distributed via cryptographically signed Usenet messages (or other "push" channels). You can immunize DNSBLs from attack, *provided* that you're willing to publicly distribute the contents of those DNSBLs.
Actually, SBL has had a lot of issues. The issue isn't always with the dns zones. It is true that one can distribute the zones to make dDOS more difficult; although not impossible. However, in the case of SBL, they have had issues with the web servers being dDOS'd. The ability to lookup why a host is blacklisted, and in the case of relay/proxy lists to request removal, is also important. There are still a lot of blacklists out there; njabl, ordb, dsbl, reynolds, sbl, and spews (in a round about sort of way). Yet what happens when a business desides to destroy his competitor's website? What happens when someone decides they don't like magazine X or vendor X and attacks their web farms? Shall the Internet be called akamai? Don't get me wrong. It's a good service, but not invulnerable. windowsupdate.com can still be brought to it's knees if the attacker is persistant enough. Of course, when big money businesses are involved, things get done. Yet what about the smaller business or the charity? What about critical infrastructure? Does anyone claim that MAE East and West couldn't be made inoperational by dDOS? How does that shift the network and peering? What are the ramifications? Of the various RPC worms, spybot is the most malicious in intent. Yet what if parts of Swen/Gibe/Sobig.F were incorporated into blaster. Process terminations to make repair difficult and to open the computer to other viruses and vulnerabilites. Installed proxy servers and bots. Keyloggers. Now collect your information, gather your bots, and watch a single phrase create destruction. Things have not improved over the last year. They have gotten worse. The Internet is more malicious than ever. It is quickly becoming the Inner City Projects of communication. Greed and hatred created some of the worst neighborhoods in the world. The same concept will apply to network. If action isn't taken, it will get worse. More money will be lost over the coming years. Many people will be hurt. Communication will be impaired. Question: Why is it not illegal for an ISP to allow a known vulnerable host to stay connected and not even bother contacting the owner? There are civil remedies that can be sought but no criminal. Bear in mind, these "vulnerable" hosts are usually in the process of performing malicious activity when they are reported. Ron has reported many of the IP addresses that dDOS'd monkeys.com. Under the same token, Ron has also reported to many ISP's about spammers which have abused servers under his control, scanning and utilizing open proxies; which is theft of resources. Why is nothing done about these people? Why is the ISP not held liable for allowing the person to continue in such malicious activity? -Jack
participants (13)
-
Aaron Dewell
-
Dan Hollis
-
Jack Bates
-
Joe Abley
-
Joe St Sauver
-
John Payne
-
Justin Shore
-
Kai Schlichting
-
Matthew Sullivan
-
Mike Tancsa
-
Petri Helenius
-
Raymond Dijkxhoorn
-
Valdis.Kletnieks@vt.edu