Re: DoS attacks, NSPs unresponsiveness (fwd)
Having seen Ariel's message today, and NOT seeing my original response to his post (sent to him directly, did you NOT get this email Ariel?). I've reposted this message.. my original response to Ariel and Rubens. As to the others today, Steve Sobol, you too are not a UUNET direct customer, BUT if you are under attack and your Upstream tracks this traffic to UUNET have them follow the procedures outlined below and I will track the attack. UUNET DOES pay 4 people (six actually) to do nothing but stop and track DoS attacks on its backbone... and we are quite good at it. --Chris ####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-283-3734 ## ####################################################### ---------- Forwarded message ---------- Date: Thu, 2 Nov 2000 20:02:48 -0500 (EST) From: Christopher L. Morrow <cmorrow@uu.net> To: Ariel Biener <ariel@fireball.tau.ac.il>, rkuhljr@uol.com.br Cc: nanog@merit.edu, amos rosenboim <slick@xchange.wan.inter.net.il> Subject: Re: DoS attacks, NSPs unresponsiveness Ariel and Rubens, I'd like to address your concerns about UUNET NOT getting involved when you networks (both downstreams of UUNET customers) are under attack. In both of your cases I have personally, on more than one occasion, contacted your upstream providers to inform them of proper contact procedures for Live Attacks. To clarify those procedures for the 10th time in a public forum, if you are under attack and your upstream is either UUNET, or it's a customer of UUNET have the DIRECT CUSTOMER of UUNET Call the UUNET Security/Fraud/Abuse Department and ask for a Rotuer Engineer. The phone number is: 1-800-900-0241 options 2,3,1 or for those that live outside the USA: 1-703-206-5440 options 2,3,1. If you no one calls there can be no action taken... in the case of Rubens, your upstream (Embratel, correct?) has been emailing attack notifications and null routing your addresses. They have been told by me personally (I spoke to an individual named 'Jorge' I believe) several times to call us so we can stop and track the attack. I have 4 engineers dedicated to dealing with DoS attacks on UUNET customers. We track several attacks per day and are available 24/7. I will not be held accountable for people's issues when they do NOT follow the appropriate contact procedures. If you would like to talk with me personally about this I invite you to call or email me directly as I'd be more than happy to clarify anything I've written in this message, my contact information is included for your convenience. For the others on this list, if you are a UUNET customer you can call our Security Department if you ever have any issues with security, DoS, fraud, spam, or the like. If you are under DoS attack either one of my engineers will stop and track the attack, or I will do it... it's what we get paid to do. If you are NOT a UUNET customer you know that other ISP's (Tier 1's atleast) do NOT filter attack traffic, and they do NOT track attacks. The ONLY exceptions to this are: Genuity, Global Crossing and at one time Verio. --Chris ####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-283-3734 ## ####################################################### On Thu, 2 Nov 2000, Ariel Biener wrote:
Hi,
This e-mail comes to describe a common problem among a large number of ISPs, mostly foreign, when dealing with US network service providers. I don't want to talk about anyone I don't know of, so I will limit this initial e-mail to talking about UUnet.
As most of you know, some ISPs run irc servers, and provide an IRC service to the community. The service is free, and maintenance and cost of networking/hardware/human hours is on the ISPs expense.
Irc tends to be a volatile medium, like interpersonal relationships in real life. Thus, many times arguements turn into heated disputes, and sometimes, some people pick up arms, and attack. The attacks usually take out whole ISPs for hours, or days.
The problem is that when trying to get help from the upstream provider (UUnet in this example), you either receive a negative answer, or you're just ignored completely. Thus, by terrorism, people get what they want, and hold you at a threat of force, without any ability to defend yourself.
Smurfing, icmp attacks, udp attacks, tcp synflooding (spoofed sources) are just a number of these weapons. The problem with alot of networking entities, be it ISPs, enterprises, and such, is that they allow spoofed packets to leave their network (i.e. do not check if the packets originate from within their netblocks before letting them leave their routers).
The question is, how can we defend ourselves, and why do the large NSPs turn a blind eye, and act as if it's not their concern ?
Is there a chance that by helping one another, and by implementing Internet RFCs corrctly (rfc 1918 for example), we can contribute to the elimination of this kind of electronic terrorism ?
Any chance a UUnet person might answer ?
best regards,
--Ariel
-- Ariel Biener e-mail: ariel@post.tau.ac.il Work phone: 03-6406086 fingerprint = 07 D1 E5 3E EF 6D E5 82 0B E9 21 D4 3C 7D 8B BC
wouldn't be too surprising after the DOC/NSI/ICANN cabal did nothing to correct problems revealed last time it happened. talking stability while staging intrigues. and illegally censoring the net, for the first time with admittedly political justification (voteauction.com). corporate government is just not compatible with stability, especially when undermining democracy through systematic corruption. if it continues like this, alternative roots will take over much faster then expected, be it just because they are more stable. kind regards philippe, InternetRoots.com --- *** --- <nslookup:www.bluesnews.com/*/62.2.32.250> Non-authoritative answer: www.bluesnews.com A 61660 205.229.73.2 Authority: BLUESNEWS.com NS 61660 ns1.ugonetworks.com 205.229.75.1 BLUESNEWS.com NS 61660 ns2.ugonetworks.com 205.229.75.2 BLUESNEWS.com NS 61660 nserv1.actionworld.com 206.41.27.5 NSLookup normal completion. --- <nslookup:www.bluesnews.com/*/a.root-servers.net> Authoritative answer: Name Error - domain name referenced does not exist. NSLookup Terminated. --- <nslookup:www.rhythms.net/*/a.root-servers.net> Authoritative answer: Name Error - domain name referenced does not exist. NSLookup Terminated. --- http://voteauction.com/ http://62.116.31.68/pr2.htm http://voteauction.de/
so it looks like these dot-coms are just unable to pay their bills anymore and NSI has started to delete some long-unpaid-for domains, this time. kind regards philippe
On Tue, Nov 07, 2000 at 10:09:20PM -0500, Christopher L. Morrow wrote:
For the others on this list, if you are a UUNET customer you can call our Security Department if you ever have any issues with security, DoS, fraud, spam, or the like. If you are under DoS attack either one of my engineers will stop and track the attack, or I will do it... it's what we get paid to do. If you are NOT a UUNET customer you know that other ISP's (Tier 1's atleast) do NOT filter attack traffic, and they do NOT track attacks. The ONLY exceptions to this are: Genuity, Global Crossing and at one time Verio.
The only exceptions that you know of perhaps. As a former employee of AT&T Global Network Services (ibm.net), I know for a fact that AGNS responded promptly to any DoS reports called into our helpdesk, regardless of whether they were a paying customer, downstream of a customer or a peer. I would also like to know UUNETs policy for peers, as I have first hand experience of other large ISPs who's helpdesks refused to take my phone call for assistance in tracking and blocking an on going attack because "you must be mistaken, the only way you would have a pipe into our network is if you are a customer". I do remember uunet.ca being very responsive on at least one occasion, but its distressing to know that you've spent time and effort tracking an attack across your network only to come up against a brick wall... and then know thta you're going to have performance problems with that peer until the attack stops, and yet that peer is not willing to even talk to you. -- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 To send me mail, use the address in the From: header
Stoned koala bears drooled eucalyptus spit in awe as John Payne exclaimed:
On Tue, Nov 07, 2000 at 10:09:20PM -0500, Christopher L. Morrow wrote:
For the others on this list, if you are a UUNET customer you can call our Security Department if you ever have any issues with security, DoS, fraud, spam, or the like. If you are under DoS attack either one of my engineers will stop and track the attack, or I will do it... it's what we get paid to do. If you are NOT a UUNET customer you know that other ISP's (Tier 1's atleast) do NOT filter attack traffic, and they do NOT track attacks. The ONLY exceptions to this are: Genuity, Global Crossing and at one time Verio.
This is *entirely* untrue, and is a prime example of the shameless self-promotion that seems to be rampant on this list lately. I do not work for any of the above-mentioned Tier 1 providers and I know for a fact that we have a level-1 security staff on duty 24/7 to handle such incidents, and if they can't handle it, then they page somebody who can. There has been numerous occasions where I have spent all night on the phone with a customer, working with them to find a solution that thwarts a DoS attack while minimizing the negative effects on thier network and our's.
The only exceptions that you know of perhaps. As a former employee of AT&T Global Network Services (ibm.net), I know for a fact that AGNS responded promptly to any DoS reports called into our helpdesk, regardless of whether they were a paying customer, downstream of a customer or a peer.
*sigh* It's a shame, though, that they are less than responsive about other forms abuse, and even less responsive than that about fixing their misconfigured SNMP monitoring software that tries to access routers that do not belong to them.
I would also like to know UUNETs policy for peers, as I have first hand experience of other large ISPs who's helpdesks refused to take my phone call for assistance in tracking and blocking an on going attack because "you must be mistaken, the only way you would have a pipe into our network is if you are a customer".
This seems to be the case more often than not, and it explains why a lot of network/security engineers won't even bother attempting to trace a DoS attack to their borders, because they know that they're wasting their time. Sure, they can tell the customer that it's originating from ASXXX or network XXX but if ASXXX or network XXX won't listen to you, what good does it do? Jeff Representing only myself, as my employer has an advertising department to promote them in the appropriate venues. -- "For competitive reasons we can't tell you the location of our fiber." -- An anonymous representative of a very large telco "For competitive reasons we can't tell you the location of our backhoe." -- An anonymous representative of a contractor.
On Tue, 7 Nov 2000, John Payne wrote:
On Tue, Nov 07, 2000 at 10:09:20PM -0500, Christopher L. Morrow wrote:
For the others on this list, if you are a UUNET customer you can call our Security Department if you ever have any issues with security, DoS, fraud, spam, or the like. If you are under DoS attack either one of my engineers will stop and track the attack, or I will do it... it's what we get paid to do. If you are NOT a UUNET customer you know that other ISP's (Tier 1's atleast) do NOT filter attack traffic, and they do NOT track attacks. The ONLY exceptions to this are: Genuity, Global Crossing and at one time Verio.
The only exceptions that you know of perhaps. As a former employee of AT&T Global Network Services (ibm.net), I know for a fact that AGNS responded promptly to any DoS reports called into our helpdesk, regardless of whether they were a paying customer, downstream of a customer or a peer.
Yes, I re-read this paragraph and what I meant was 'in my experience the only people who track attacks are...'. I'd also forgotten tracking atleast one attack with 2 folks from Above.Net... so they didn't make my original list.
I would also like to know UUNETs policy for peers, as I have first hand experience of other large ISPs who's helpdesks refused to take my phone call for assistance in tracking and blocking an on going attack because "you must be mistaken, the only way you would have a pipe into our network is if you are a customer".
Our policy is to track attacks that peers bring to us also... just follow the procedures I outlined in the initial message (call 1-800-900-0241 option 2,3,1 and ask for a Router Engineer)... We'll happily track the attack for you. :)
I do remember uunet.ca being very responsive on at least one occasion, but its distressing to know that you've spent time and effort tracking an attack across your network only to come up against a brick wall... and then know thta you're going to have performance problems with that peer until the attack stops, and yet that peer is not willing to even talk to you.
Yes, this is quite distressing... my favorite answer is (after pouring over the networks www.xyz.net website trying to find a single number to call to TRY and find their NOC...): "please email that issue into NOC@xyz.net"... if you are a peer and track something up to a connect with UUNET call and we'll track it for you. -Chris
On Wed, 8 Nov 2000, Christopher L. Morrow wrote:
Our policy is to track attacks that peers bring to us also... just follow the procedures I outlined in the initial message (call 1-800-900-0241 option 2,3,1 and ask for a Router Engineer)... We'll happily track the attack for you. :)
Chris, this is all nice on e-mail, but my experience is that what we got when we used this procedure was: We're willing to blackhole this for you, but unwilling to track. This happened 10 days ago. --Ariel -- Ariel Biener e-mail: ariel@post.tau.ac.il Work phone: 03-6406086 fingerprint = 07 D1 E5 3E EF 6D E5 82 0B E9 21 D4 3C 7D 8B BC
On Wed, 8 Nov 2000, Ariel Biener wrote:
On Wed, 8 Nov 2000, Christopher L. Morrow wrote:
Our policy is to track attacks that peers bring to us also... just follow the procedures I outlined in the initial message (call 1-800-900-0241 option 2,3,1 and ask for a Router Engineer)... We'll happily track the attack for you. :)
Chris, this is all nice on e-mail, but my experience is that what we got when we used this procedure was:
We're willing to blackhole this for you, but unwilling to track. This happened 10 days ago.
A UUNET Engineer got a call from which ISP, not you because you are not a customer... Which ISP called you, and what was eventually done about this? With some information aside from the included by you I might be able to find an answer for you on what happened and why it happened.
--Ariel
-- Ariel Biener e-mail: ariel@post.tau.ac.il Work phone: 03-6406086 fingerprint = 07 D1 E5 3E EF 6D E5 82 0B E9 21 D4 3C 7D 8B BC
participants (5)
-
Ariel Biener -
Christopher L. Morrow -
Jeff Workman -
John Payne -
Philippe Landau