[60046] in North American Network Operators' Group
Re: WANTED: ISPs with DDoS defense solutions
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Wed Jul 30 18:38:01 2003
Date: Wed, 30 Jul 2003 22:37:21 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: variable@ednet.co.uk
Cc: Mike Tancsa <mike@sentex.net>,
Jared Mauch <jared@puck.nether.net>,
"nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <Pine.LNX.4.44.0307302304330.14518-100000@pachabel.ednet.co.uk>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 30 Jul 2003 variable@ednet.co.uk wrote:
>
> On Wed, 30 Jul 2003, Mike Tancsa wrote:
>
> > I recall one of our users was involved in a DoS once a few years back
> > when the "giant pings" could crash MS boxes. The fact that his perceived
> > anonymity was removed was enough to keep him from repeating his
> > attacks....
>
> If these issues are addressed then it becomes a lot harder to remain
> anonymous and starting DDoS attacks against targets that can trace you
> becomes a lot less attractive.
>
Sure, trace my attacks to the linux box at UW, I didn't spoof the flood
and you can prove I did the attacking how? You can't because I and 7 other
hackers all are fighting eachother over ownership of the poor UW student
schlep's computer...
The problem isn't the network, nor the filtering/lack-of-filtering, its a
basic end host security problem. Until that is resolved, the ability of
attackers to own boxes in remote locations and use them for malfeasance
will continue to haunt us. I would guess that the other owners of the
machines attacking Mike (assuming they got the emails he sent... big
assumption) probably said: "Great another person getting attacked from
that joker's win2k machine, hurray:(" and moved on about thier business.
They know that they can't get the end user to secure their machine and
they know that if the get him/her to reload the OS or 'clean' it of the
'virus' the problem will arise anew within 17 minutes :(
I'm all for raising the bar on attackers and having end networks implement
proper source filtering, but even with that 1000 nt machines pinging 2
packet per second is still enough to destroy a T1 customer, and likely
with 1500 byte packets a T3 customer as well. You can't stop this without
addressing the host security problem...
> Cheers,
>
> Rich
>
