[40714] in North American Network Operators' Group
RE: Code Red 2 Erratication
daemon@ATHENA.MIT.EDU (Joe Blanchard)
Sun Aug 19 05:51:20 2001
Message-ID: <E9BBE0941932D511934C0002A52CDB4E2D0834@sj-exchange.wyse.com>
From: Joe Blanchard <jblanchard@wyse.com>
To: 'Christian Kuhtz' <ck@arch.bellsouth.net>
Cc: "'nanog@merit.edu'" <nanog@merit.edu>
Date: Sun, 19 Aug 2001 02:49:05 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C12894.2F368EA0"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C12894.2F368EA0
Content-Type: text/plain;
charset="iso-8859-1"
Who was/is talking about a DOS??? I wasn't. Your impling that my fix (which
doesn't work and I've gotten many responses about having "tried that")
causes a DOS. Um, Please re-evaluate the data I have shared. There is
NOTHING I have offered that is not already known. You come to my website,
ask for a file (default.ida) and I send it to you, Wheres the DOS in that?
Legal or not, Um, next case...
-----Original Message-----
From: Christian Kuhtz [mailto:ck@arch.bellsouth.net]
Sent: Sunday, August 19, 2001 2:34 AM
To: Joe Blanchard
Subject: Re: Code Red 2 Erratication
On Sun, Aug 19, 2001 at 02:02:10AM -0700, Joe Blanchard wrote:
> With regard to the legality of sending back such packets I have to laff,
and
> hard at this. Your certainly under some misguided Idea that the laws have
> actually any presidense in this case, that is regarding sending back
packets
> to an attacking party that kills their OS.
The infected host is not what matters, and none of my recent statements have
been about 'killing somebody's OS' if you read them carefully.
As I tried to explain to you before, hypothetically speaking, if you happen
to
take out, say, a DSL cloud (if you had a larger pipe or used different
method
of responding to the probe which wasn't as bw intensive and caused greater
damage proportional to bw used), perhaps take the ATM cloud out with it
because of, for instance, massive demand for bw.. you're in essence
enacting a DoS and are subject to the same sort of procedures with which DoS
are responded to. I'm amazed your providers aren't taking the same steps
with your current problem. Further, if perhaps you end up taking out vital
national infrastructure with your attack you will end up facing the
consequences (remember, some of the ckts used for inet traffic share
resources
with the rest of the world). A DoS in response to a DoS can also lead to
your
networks being cut off from the rest of the world as well. Significant
backlash in various colors is not far fetched at all.
These scenarios have been discussed quite frequently in various forums as
well
as in various legal departments, and depending on the circumstances there
are
legal issues you might want to consider. You might want to consult those in
your legal department with background in telecommunications litigation. Go
ahead, test the legal system. I am not making this up. It's your choice,
not
mine.
I am trying to share information with you in the hope that it may help you
understand the shortcomings of your approach and perhaps helps you find a
better solution.
It may be worthwhile to take up the typical emergency response procedures
and
do things like summarize the ip addrs of the offending hosts with individual
date/timestamps and submit them to providers with the remark that they are
causing a DoS on your network. The fact that your direct providers aren't
willing to help you as the customer is very regrettable. You might also
have
angles by engaging your legal department depending on what sort of contracts
you have with your provider(s). Contesting the billing sometimes gets a
provider's attention. I don't see why escalating thru your provider up the
food chain doesn't get you results. The reply that it is 'too difficult'
most certainly doesn't ring true in this matter.
I don't speak for or represent BellSouth. The Security & Abuse team @
BellSouth.net can be reached at abuse@bellsouth.net and in general that
should
be your primary point of contact if you have issues with BellSouth.net
customers. If you have any problems with BellSouth.net responding to your
requests feel free to contact me and perhaps I can help with the escalation.
If you have any other questions, send them on.
--
Christian Kuhtz <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm
Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S.
I speak for myself only."
------_=_NextPart_001_01C12894.2F368EA0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: Code Red 2 Erratication</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Who was/is talking about a DOS??? I wasn't. Your =
impling that my fix (which doesn't work and I've gotten many responses =
about having "tried that") causes a DOS. Um, Please =
re-evaluate the data I have shared. There is NOTHING I have offered =
that is not already known. You come to my website, ask for a file =
(default.ida) and I send it to you, Wheres the DOS in that? </FONT></P>
<P><FONT SIZE=3D2>Legal or not, Um, next case... </FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Christian Kuhtz [<A =
HREF=3D"mailto:ck@arch.bellsouth.net">mailto:ck@arch.bellsouth.net</A>]<=
/FONT>
<BR><FONT SIZE=3D2>Sent: Sunday, August 19, 2001 2:34 AM</FONT>
<BR><FONT SIZE=3D2>To: Joe Blanchard</FONT>
<BR><FONT SIZE=3D2>Subject: Re: Code Red 2 Erratication</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>On Sun, Aug 19, 2001 at 02:02:10AM -0700, Joe =
Blanchard wrote:</FONT>
<BR><FONT SIZE=3D2>> With regard to the legality of sending back =
such packets I have to laff, and</FONT>
<BR><FONT SIZE=3D2>> hard at this. Your certainly under some =
misguided Idea that the laws have</FONT>
<BR><FONT SIZE=3D2>> actually any presidense in this case, that is =
regarding sending back packets</FONT>
<BR><FONT SIZE=3D2>> to an attacking party that kills their OS. =
</FONT>
</P>
<P><FONT SIZE=3D2>The infected host is not what matters, and none of my =
recent statements have </FONT>
<BR><FONT SIZE=3D2>been about 'killing somebody's OS' if you read them =
carefully. </FONT>
</P>
<P><FONT SIZE=3D2>As I tried to explain to you before, hypothetically =
speaking, if you happen to </FONT>
<BR><FONT SIZE=3D2>take out, say, a DSL cloud (if you had a larger pipe =
or used different method </FONT>
<BR><FONT SIZE=3D2>of responding to the probe which wasn't as bw =
intensive and caused greater </FONT>
<BR><FONT SIZE=3D2>damage proportional to bw used), perhaps take the =
ATM cloud out with it </FONT>
<BR><FONT SIZE=3D2>because of, for instance, massive demand for bw.. =
you're in essence </FONT>
<BR><FONT SIZE=3D2>enacting a DoS and are subject to the same sort of =
procedures with which DoS </FONT>
<BR><FONT SIZE=3D2>are responded to. I'm amazed your providers =
aren't taking the same steps </FONT>
<BR><FONT SIZE=3D2>with your current problem. Further, if perhaps =
you end up taking out vital </FONT>
<BR><FONT SIZE=3D2>national infrastructure with your attack you will =
end up facing the </FONT>
<BR><FONT SIZE=3D2>consequences (remember, some of the ckts used for =
inet traffic share resources</FONT>
<BR><FONT SIZE=3D2>with the rest of the world). A DoS in response =
to a DoS can also lead to your</FONT>
<BR><FONT SIZE=3D2>networks being cut off from the rest of the world as =
well. Significant </FONT>
<BR><FONT SIZE=3D2>backlash in various colors is not far fetched at =
all.</FONT>
</P>
<P><FONT SIZE=3D2>These scenarios have been discussed quite frequently =
in various forums as well</FONT>
<BR><FONT SIZE=3D2>as in various legal departments, and depending on =
the circumstances there are </FONT>
<BR><FONT SIZE=3D2>legal issues you might want to consider. You =
might want to consult those in </FONT>
<BR><FONT SIZE=3D2>your legal department with background in =
telecommunications litigation. Go </FONT>
<BR><FONT SIZE=3D2>ahead, test the legal system. I am not making =
this up. It's your choice, not</FONT>
<BR><FONT SIZE=3D2>mine.</FONT>
</P>
<P><FONT SIZE=3D2>I am trying to share information with you in the hope =
that it may help you</FONT>
<BR><FONT SIZE=3D2>understand the shortcomings of your approach and =
perhaps helps you find a </FONT>
<BR><FONT SIZE=3D2>better solution.</FONT>
</P>
<P><FONT SIZE=3D2>It may be worthwhile to take up the typical emergency =
response procedures and</FONT>
<BR><FONT SIZE=3D2>do things like summarize the ip addrs of the =
offending hosts with individual </FONT>
<BR><FONT SIZE=3D2>date/timestamps and submit them to providers with =
the remark that they are </FONT>
<BR><FONT SIZE=3D2>causing a DoS on your network. The fact that =
your direct providers aren't </FONT>
<BR><FONT SIZE=3D2>willing to help you as the customer is very =
regrettable. You might also have </FONT>
<BR><FONT SIZE=3D2>angles by engaging your legal department depending =
on what sort of contracts</FONT>
<BR><FONT SIZE=3D2>you have with your provider(s). Contesting the =
billing sometimes gets a</FONT>
<BR><FONT SIZE=3D2>provider's attention. I don't see why =
escalating thru your provider up the</FONT>
<BR><FONT SIZE=3D2>food chain doesn't get you results. The reply =
that it is 'too difficult'</FONT>
<BR><FONT SIZE=3D2>most certainly doesn't ring true in this =
matter.</FONT>
</P>
<P><FONT SIZE=3D2>I don't speak for or represent BellSouth. The =
Security & Abuse team @ </FONT>
<BR><FONT SIZE=3D2>BellSouth.net can be reached at abuse@bellsouth.net =
and in general that should</FONT>
<BR><FONT SIZE=3D2>be your primary point of contact if you have issues =
with BellSouth.net </FONT>
<BR><FONT SIZE=3D2>customers. If you have any problems with =
BellSouth.net responding to your </FONT>
<BR><FONT SIZE=3D2>requests feel free to contact me and perhaps I can =
help with the escalation. </FONT>
</P>
<P><FONT SIZE=3D2>If you have any other questions, send them on.</FONT>
</P>
<P><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2>Christian Kuhtz <ck@arch.bellsouth.net> -wk, =
<ck@gnu.org> -hm</FONT>
<BR><FONT SIZE=3D2>Sr. Architect, Engineering & Architecture, =
BellSouth.net, Atlanta, GA, U.S.</FONT>
<BR><FONT SIZE=3D2>I speak for myself only."</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C12894.2F368EA0--
