[47864] in North American Network Operators' Group
Re: Arbor Networks DoS defense product
daemon@ATHENA.MIT.EDU (Scott Francis)
Fri May 17 10:28:18 2002
Date: Fri, 17 May 2002 07:22:05 -0700
From: Scott Francis <darkuncle@darkuncle.net>
To: Dan Hollis <goemon@anime.net>
Cc: Dragos Ruiu <dr@kyx.net>, "'nanog@merit.edu'" <nanog@merit.edu>
Message-ID: <20020517142204.GD56860@darkuncle.net>
Mail-Followup-To: Scott Francis <darkuncle@darkuncle.net>,
Dan Hollis <goemon@anime.net>, Dragos Ruiu <dr@kyx.net>,
"'nanog@merit.edu'" <nanog@merit.edu>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-ripemd160;
protocol="application/pgp-signature"; boundary="bajzpZikUji1w+G9"
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.44.0205170050540.32145-100000@sasami.anime.net>
Errors-To: owner-nanog-outgoing@merit.edu
--bajzpZikUji1w+G9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, May 17, 2002 at 01:00:52AM -0700, Dan Hollis <DH> said, in response
to a message on Thu, 16 May 2002 by Dragos Ruiu <DR>:
<DR> But how do you plan to arbitrate disputes about what merits blackholin=
g=20
<DR> and not on behalf of others? And what guidelines do you use to decide=
=20
<DR> on how to initiate black holing? (not critical here, just curious?)
there are no disputes. It's like using the RBL - what I decide to do with my
network is my business. If somebody else doesn't like it, they can do
business elsewhere. Everybody wants to do as they please on the Big Wide Ne=
t,
but they also want to be able to tell everybody else how to play. Can't have
it both ways.
<DH> Thats the beauty here, one can provide multiple databases (eg rogue=20
<DH> networks which refuse to shutdown their portscanners, proven spamhause=
n in=20
<DH> bed with spammers, proven active attackers, etc.) and service provider=
s=20
<DH> can opt in as they like, and apply whatever policy to those routes tha=
t=20
<DH> they like.
The simple addition of a default action in the land mine/blackhole BGP idea
would take away most of the protests, I think: after X scans, mail WHOIS
contact for the network in question saying "You have scanned us. Please cle=
an
up your network, or risk being blackholed." If no response is received, and
scans continue, blackhole. Simple as that, and puts responsibility back on
the shoulders of the offending network.
<DH> > Why are you sending funny packets?
<DR> Any number of reasons... like I have a compromised host
<DR> and I'm watching what it does before shutting it down...
There's no point to what you have just said. When you find a machine has be=
en
rooted, unplug it from the network and commence forensic analysis. Knowingly
allowing it to attack other networks is foolhardy at best.
<DH> So you have a compromised host attacking sites, you know about it, and=
=20
<DH> you're allowing it to continue. Whoops it just defaced a federal=20
<DH> government site, and now it has your ip address all over it...
<DH> I don't think i'd want to open myself to that kind of liability...
<DH> When we catch compromised hosts, we cut their balls off instantly.
<DR> Or maybe the packets don't look funny to me :-).
<DR> Or perhaps the packets were so funny I thought I'd share. ;-)
<DR> Humor is often in the eye of the beholder :-).
<DH> Military networks arent well known for their sense of humor, and neith=
er=20
<DH> are federal interest sites...
Neither are network operators whose networks are constantly under attack.
This kind of thing loses its novelty the first time one of your machines is
rooted and has to be wiped and rebuilt.
Whether or not it's amusing to you is immaterial. If the person being scann=
ed
does not find it so, scans should cease, period.
--=20
Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t
Systems/Network Manager sfrancis@ [work:] t o n o s . c o m
GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
--bajzpZikUji1w+G9
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQIXAwUBPOUSC4gCD7rLM8ynFAPC5wf/ZQOfIY+nMV2oFBUa6GNE7jVlSmnadxr8
urzdbqPLn74NhQw+UyY1KpzpCVcPCx6RGNLYoM1dZ0zy35WqHTUIvdLX+pxZpHdV
xslr1JFmhH3bvGBVoVCCDiJ04tt++NDbgR3lni2q4l594WcOzBYt5PX7YGEXcNRg
HUarY/YtxrxoyS2Dmd8N+Cw1sp0JSD52KK8DyMNqDZl4UyHylODWQhXKeHC0ZEBk
l37i+QDy22HtyjS4/Z4q/0wgcoWSbZPbPA8pabAbIwSlW2sGgYkfpLhTvPAjJoDY
ZHP8raL0V5XKN/SF/2AMgyDgK8u74nkSSdqsDRp9XQGgVhFZk66trQf/cI45isui
PgBrMOaQJeQaLM50MJwDBfozSVdbAY06/A1He9hMi1ojtZCkzizDhx0pC3tGiWSk
4MdNya+5aAi06oVxZ6dYUdHNaF1fQYCu9Ri2AItQ9s2oRddOh8tM9Dt/H4wKxha4
stxWRY2/Z99N2a1LYG0Uuf9dggk9i/oQY+cHa/0Xl/RQZcCKcaChORWzRqW/WjFh
zmLX+YK0jjGUmIfkiVv3nPdLaDsm1/HAt//CV+KZNVE6qlwjXDVbrkTY0FuU0q3x
3I8jdTxfISvrCqwCMu30inIvmvfa3tsIHuURXrkMM0/CP433gfEQGGG7r8mkH+fG
IUNhBMczF/7X2w==
=+rf4
-----END PGP SIGNATURE-----
--bajzpZikUji1w+G9--
