[177282] in North American Network Operators' Group
Re: DDOS solution recommendation
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Jan 11 16:00:39 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <21151566.1466.1420981585260.JavaMail.mhammett@ThunderFuck>
Date: Sun, 11 Jan 2015 12:55:59 -0800
To: Mike Hammett <nanog@ics-il.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> On Jan 11, 2015, at 05:07 , Mike Hammett <nanog@ics-il.net> wrote:
>=20
> Why does it seem like everyone is trying to "solve" this the wrong =
way?=20
Because it=E2=80=99s what we CAN do.
>=20
> Do other networks' abuse departments just not give a shit? Blackhole =
all of the zombie attackers and notify their abuse departments. Sure, =
most of the owners of the PCs being used in these scenarios have no idea =
they're being used to attack people, but I'd think that if their =
network's abuse department was notified, either they'd contact the =
customer about it issue or at least have on file that they were =
notified. When the unknowing end-user reached out to support over larger =
and larger parts of the Internet not working, they'd be told to clean up =
their system.=20
>=20
> The way to stop this stuff is for those millions of end users to clean =
up their infected PCs.=20
Agreed=E2=80=A6 However, let=E2=80=99s look at it from an economics =
perspective=E2=80=A6
The average residential service provider doesn=E2=80=99t have the =
resources and doesn=E2=80=99t charge enough to build the resources to =
deal with this onslaught. It won=E2=80=99t be the service provider that =
the attacker blames for the initial few disconnections, it will be the =
websites in question.
So, let=E2=80=99s say XYZ.COM <http://xyz.com/> is a really popular site =
with lots of end-users. Some of those end-users are also unknowingly =
attacking XYZ.COM <http://xyz.com/>.
XYZ.COM <http://xyz.com/> black holes those customers (along with all =
the other zombies attacking them).
XYZ.COM <http://xyz.com/> gets angry calls from those customers and has =
no ability to contact the rest.
The rest don=E2=80=99t call their ISP or XYZ.COM <http://xyz.com/> =
because they don=E2=80=99t know that they are unsuccessfully trying to =
reach XYZ.COM <http://xyz.com/>, so they don=E2=80=99t see the problem.
Depending on hold times, etc., XYZ.COM <http://xyz.com/> loses some =
fraction of their customers (who instead of cleaning up their system, =
move into the second group who don=E2=80=99t care about the problem any =
more.) The rest may clean up their systems.
So, at the cost of some fraction of their customer base and a =
substantial burden on their call center, XYZ.COM <http://xyz.com/> has =
managed to clean up a relatively small percentage of systems, but =
accomplished little else.
I=E2=80=99m all for finding a way to do a better job of this. =
Personally, I=E2=80=99d like to see some sort of centralized clearing =
house where credible reporters of dDOS information could send some form =
of standardized (automated) report. The clearing house would then take =
care of contacting the responsible ISPs in a scaleable and useful manner =
that the ISPs could handle. Because the clearing house would be a known =
credible source and because they are providing the information in a way =
that the ISP can more efficiently utilize the information, it MIGHT =
allow the ISP to take proactive action such as contacting the user and =
addressing the problem, limiting the user=E2=80=99s ability to send dDOS =
traffic, etc.
However, this would require lots of cooperation and if such a clearing =
house were to evolve, it would probably have to start as a coalition of =
residential ISPs.
Owen
