After 3 Denial of Service attacks in the last 4 days, I'm beginning to wonder if there should be a standardization of some sort of abuse departments. Or perhaps if there are some companys that should REALLY THINK (TM) about perhaps installing some. When my domain is under attack by yours, that means you've done something WRONG, and you need to take care of it, the same as I would if mine is under attack. How it's even concievable that you can operate without someone that has the authority to act on abuse 24/7 from your AS number's Org-Abuse is inconceivable. Quite frankly the FBI cares not at all about Denial of Service attacks, because if they did such attacks wouldn't happen. If I try to break into and cease the abusive actions of these hosts, I am myself committing a felony to defend my site from attack. They however don't have someone on hand to stop the attacks and quite honestly the damage of not having a connection to the internet isn't expressable simply in monatary loss. Real change needs to happen as far as accountability across the internet. If everyone's going to run windows and kiddies are going to have packetnets that extend to millions of hosts, then someone needs to be on call at large consumer ISP's to yank cords when their customers boxes get compromised, the next ISP that tells me "we'll have someone call you about that tomorrow is going to get listed on nanog, and CC'd to an ISP hall of shame somewhere of my own making. Please, please impart clue on your abuse department. Allowing hosts in your domain to participate in DoS attacks is WRONG. -- Andrew D Kirch | trelane@2mbit.com | Security Admin | Summit Open Source Development Group | www.sosdg.org
apologies for the grammar, after suffering from a 2 hour site outage due to DoS attack and the best reply I got was "well we'll call you" I'm at wits end. On Sat, 11 Oct 2003 20:22:25 -0500 Andrew D Kirch <trelane@trelane.net> wrote:
-- Andrew D Kirch | trelane@2mbit.com | Security Admin | Summit Open Source Development Group | www.sosdg.org
On Sat, 11 Oct 2003, Andrew D Kirch wrote:
apologies for the grammar, after suffering from a 2 hour site outage due to DoS attack and the best reply I got was "well we'll call you" I'm at wits end.
On Sat, 11 Oct 2003 20:22:25 -0500 Andrew D Kirch <trelane@trelane.net> wrote:
no need to suffer, vote with your bandwidth to a provider that can help... There are several on this list, eh? :)
On Sat, Oct 11, 2003 at 08:22:25PM -0500, Andrew D Kirch wrote:
[snip] Maybe you should avoid pissing the kiddies off on IRC, or get something other than Ameritech DSL if you want your upstream to give a damn. -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
<snip>
Matthew S. Hallacy wrote: Maybe you should avoid pissing the kiddies off on IRC, or get something other than Ameritech DSL if you want your upstream to give a damn.
I think he does make a fair observation about the state of many abuse departments today. How many posts do we see on here requesting someone with a clue in abuse from some domain in the average month?
On Sun, Oct 12, 2003 at 01:54:28AM -0500, Matt wrote:
I think he does make a fair observation about the state of many abuse departments today. How many posts do we see on here requesting someone with a clue in abuse from some domain in the average month?
And how many of them are taken care of by pointing them to Jared's NOC list? I recently had an issue with an open proxy/relay within berkeley.edu's resnet, I shot off an email at around 2:30am CST, got a reply within 20 minutes, and the box was off the net within an hour. Most places will take care of abuse issues if they get to the right person, but some places simply won't wake up their network admin at 11:00 on a saturday night because some script kiddie's DSL is getting attacked by another script kiddie on IRC. -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
On Sun, Oct 12, 2003 at 02:18:45AM -0500, Matthew S. Hallacy wrote:
Most places will take care of abuse issues if they get to the right person, but some places simply won't wake up their network admin at 11:00 on a saturday night because some script kiddie's DSL is getting attacked by another script kiddie on IRC.
You've had good experiences with abuse departments. I'm glad for you. The rest of us have not. Yes, some places ARE helpful when you call with a genuine problem. Most places are not. And honestly, regardless of the reason, shouldn't abuse departments be responsive to this type of thing? DoS attacks often effect more than the end target, they often cause people on immediate surrounding network many problems also.
Most places will take care of abuse issues if they get to the right
----- Original Message ----- From: "Matthew S. Hallacy" <poptix@techmonkeys.org> To: "Matt" <acheron@qwest.net>; <nanog@merit.edu> Sent: Sunday, October 12, 2003 3:18 AM Subject: Re: Abuse Departments person,
but some places simply won't wake up their network admin at 11:00 on a saturday night because some script kiddie's DSL is getting attacked by another script kiddie on IRC.
Watch yourself poptix - you don't have such a squeaky clean past either. Point is this. If your network/servers are being used in an attack against someone else, you can be held responsible if you do not act in a timely manner. This "script kiddie's DSL" is actually a shared setup with several servers on the end of it and a firewall. What happens to it also affects me and my customers. When my customers go down, I get complaints. Now, if your network was attacking mine from a comprimised box, and you failed to act in a timely fashion, regardless if its a DSL or a T1 or a dialup for that matter, I'd either sue you myself for allowing the attack to continue, or give my customers your info and let THEM sue you for it.
Would you perhaps have more underlying problems if a "script kiddie" on a dialup can attack you in such a way to impact your service? Bryan ----- Original Message ----- From: "Brian Bruns" <bruns@2mbit.com> To: "Matthew S. Hallacy" <poptix@techmonkeys.org>; "Matt" <acheron@qwest.net>; <nanog@merit.edu> Sent: Sunday, October 12, 2003 10:20 AM Subject: Re: Abuse Departments
----- Original Message ----- From: "Matthew S. Hallacy" <poptix@techmonkeys.org> To: "Matt" <acheron@qwest.net>; <nanog@merit.edu> Sent: Sunday, October 12, 2003 3:18 AM Subject: Re: Abuse Departments
Most places will take care of abuse issues if they get to the right person, but some places simply won't wake up their network admin at 11:00 on a saturday night because some script kiddie's DSL is getting attacked by another script kiddie on IRC.
Watch yourself poptix - you don't have such a squeaky clean past either.
Point is this. If your network/servers are being used in an attack
against
someone else, you can be held responsible if you do not act in a timely manner.
This "script kiddie's DSL" is actually a shared setup with several servers on the end of it and a firewall. What happens to it also affects me and my customers. When my customers go down, I get complaints.
Now, if your network was attacking mine from a comprimised box, and you failed to act in a timely fashion, regardless if its a DSL or a T1 or a dialup for that matter, I'd either sue you myself for allowing the attack to continue, or give my customers your info and let THEM sue you for it.
Only if that script kiddie doesn't have a couple hundred DDoS drones, and most have quite a few more than that. The probelm with these zombie networks is that they could be controlled from a 14.4 dialup and still knock out anything but the biggest infrastructure links on the internet. Active cooperation is needed from abuse departments for the victims of these attacks so that the compromised hosts are shut off quickly. On Sun, 12 Oct 2003 10:33:18 -0500 "Bryan Heitman" <bryan@bryanheitman.com> wrote:
Would you perhaps have more underlying problems if a "script kiddie" on a dialup can attack you in such a way to impact your service?
Bryan ----- Original Message ----- From: "Brian Bruns" <bruns@2mbit.com> To: "Matthew S. Hallacy" <poptix@techmonkeys.org>; "Matt" <acheron@qwest.net>; <nanog@merit.edu> Sent: Sunday, October 12, 2003 10:20 AM Subject: Re: Abuse Departments
----- Original Message ----- From: "Matthew S. Hallacy" <poptix@techmonkeys.org> To: "Matt" <acheron@qwest.net>; <nanog@merit.edu> Sent: Sunday, October 12, 2003 3:18 AM Subject: Re: Abuse Departments
Most places will take care of abuse issues if they get to the right person, but some places simply won't wake up their network admin at 11:00 on a saturday night because some script kiddie's DSL is getting attacked by another script kiddie on IRC.
Watch yourself poptix - you don't have such a squeaky clean past either.
Point is this. If your network/servers are being used in an attack
against
someone else, you can be held responsible if you do not act in a timely manner.
This "script kiddie's DSL" is actually a shared setup with several servers on the end of it and a firewall. What happens to it also affects me and my customers. When my customers go down, I get complaints.
Now, if your network was attacking mine from a comprimised box, and you failed to act in a timely fashion, regardless if its a DSL or a T1 or a dialup for that matter, I'd either sue you myself for allowing the attack to continue, or give my customers your info and let THEM sue you for it.
-- Andrew D Kirch | trelane@2mbit.com | Security Admin | Summit Open Source Development Group | www.sosdg.org
----- Original Message ----- From: "Bryan Heitman" <bryan@bryanheitman.com> To: <nanog@merit.edu> Sent: Sunday, October 12, 2003 11:33 AM Subject: Re: Abuse Departments
Would you perhaps have more underlying problems if a "script kiddie" on a dialup can attack you in such a way to impact your service?
Sorry, I meant a DSL, T1, dialup, whatever as the one being attacked. I just woke up, so cut me some slack here.
On Sun, Oct 12, 2003 at 10:33:18AM -0500, Bryan Heitman wrote:
Would you perhaps have more underlying problems if a "script kiddie" on a dialup can attack you in such a way to impact your service?
Bryan, I don't mean to be rude, but it sounds like you don't understand the way the "script kiddies" operate. A dialup is more than sufficient. Generally the attacker will have a number of compromised servers/home PC's/workstations, etc, at their disposal. Each has been infected with a particular type of trojan horse, which allow the abuser to control the compromised machine. The abuse can then instruct these tens, or hundreds, or thousands, or now tens to hundreds of thousands of machines, to performa an attack against a target. Thus, the executor sits back on their dialup, which networks around the world fight with each otehr to stay alive - the attacks for running out of upstream bandwidth, and the victims for running out of downstream.
Bryan Heitman wrote:
Would you perhaps have more underlying problems if a "script kiddie" on a dialup can attack you in such a way to impact your service?
Yeah? See: http://www.irbs.net/internet/nanog/0308/1463.html / Mat
Yes, I agree with everyone, in a distributed environment many things are possible. Perhaps I should have read the entire thread rather than responding to a single message. Bryan -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Matthew Sullivan Sent: Sunday, October 12, 2003 5:16 PM Cc: nanog@merit.edu Subject: Re: Abuse Departments Bryan Heitman wrote:
Would you perhaps have more underlying problems if a "script kiddie" on a dialup can attack you in such a way to impact your service?
Yeah? See: http://www.irbs.net/internet/nanog/0308/1463.html / Mat
participants (8)
-
Andrew D Kirch
-
Avleen Vig
-
Brian Bruns
-
Bryan Heitman
-
Christopher L. Morrow
-
Matt
-
Matthew S. Hallacy
-
Matthew Sullivan