North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Counter DoS
- From: Gregory Taylor
- Date: Thu Mar 11 16:27:30 2004
While I believe something should be done, the fact is that two
wrongs do not make a right. If I hit you, is it ok for you to hit me
right back? This kind of retaliation takes the internet community into
a grade school playground fight. What needs to be done, although easier
said than done, is the following.
Companies producing software with serious security issues need to
address those issues alot faster and more efficiently.
(i.e. Microsoft shouldn't push their OS's out the door until their code
is audited and tested thouroughly.) If medicine had the same practices
as alot of these software companies, there'd be a whole bunch of dead
people out there.
The Federal agencies who deal with computer crimes need to step up and
start putting people behind bars, for a loong time. Kiddies get away
with DDoS attacks because they know they can. If even half of the
kiddies were to get thrown into prison for their acts, it'd definately
deter the other half. Maybe that wont stop the problem, but it would
definately reduce it overall.
Networks that allow random host spoofing (or bogon headers) need to
program their routers and border routers to filter or re-set the headers
of TCP traffic outgoing and incoming to the correct source. This way a
DDoS kiddie can only spoof at most, the subnet, thus leaving his DDoS
net open to investigation and tracing.
Networks that knowingly house and harbor DDoS kiddies should take a
pro-active role in turning them in, or kicking them off their networks.
Just because they aren't launching attacks from your network doesn't
mean they aren't coordinating the attacks from it.
Those networks that house DDoS networks need to maintain closer
surveilance of their systems and customers and shut down any systems or
networks hosting known DDoS nets.
Denial of Service is probably never going to go away, but while DDoS
attacks are so easy to commit, the problem is only going to get worse
until appropriate steps are taken to reduce the problem overall.
Drew Weaver wrote:
From: Gregory Taylor [mailto:email@example.com]
Sent: Thursday, March 11, 2004 3:55 PM
To: Rachael Treu
Subject: Re: Counter DoS
Yes, lets allow the kiddies who already get away with as little work as
they can in order to produce the most destruction they can, the ability
to use these 'Security Systems' as a new tool for DoS attacks against
Lets say my name is: l33th4x0r
I want to attack joeblow.cable.com because joeblow666 was upset that I
called his mother various inappropriate names.
I find IP for joeblow.cable.com to be 192.168.69.69
I find one of these 'security' systems, or multiple security systems,
and i decide to forge a TCP attack from 192.168.69.69 to these 'security
These 'security systems' then, thinking joeblow is attacking their
network, will launch a retaliatory attack against the offender,
192.168.69.69 thus destroying his connectivity.
Kiddie 1 Joeblow 0 The Internet as a whole 0
Their solution isn't the best idea out there, but something
definitely needs to be done, and quickly. Network providers shouldn't have
to purchase 4x the amount of bandwidth that they need just in case someone
hijacks a bunch of cable modems and wants to party.
Perhaps their bad idea will lead to a better idea, its happened
before with how many countless practices on the internet? You start with a
blurry idea, then someone else takes it and makes it work. Im not saying
ddosing people back is the best idea, but something needs to happen, we
waste way too much time and money mitigating these attacks, when in reality
they cant be mitigated unless you continue to throw cash into the bandwidth
These DSL and cable modem companies need to tighten things up so
that if their users are abusive (and I don't claim to know how exactly the
parameters of abuse should be measured) that their systems automatically
choke them. For example, I have a Cable modem /w rr at my home, they have my
upstream limited to next to nothing, how much damage could I possibly do?
On the other hand I've seen attacks from some residential DSL
providers that have hit with over 500KB(bytes)ps from a single machine, if
you have maybe 20 of these hitting one of your interfaces, its going to
cause latency, unless your upstream, or their downstream is doing something
to protect you, which they wont.