Re: Arbor Networks DoS defense product
On 15 May 2002, Johannes B. Ullrich wrote: > > What about scans done > > from different networks other than that which the supposed attacker is > > originating from. > Well, then these networks are marked as "attackers", which is ok. The > can clean up their systems and enjoy full access again. Yes. Part of such blackholing would be hoped to have a "behaviour modification" effect the same way that RBL does. Many NOCs/admins are too apathetic/lazy/incompetent/toothless to do anything about shutting down compromised boxes/script kiddies. Blackholing them from the net would provide motivation. And some protection against those attackers. When management can no longer download their pr0n you can damn well bet they will "want it fixed NOW" and will give whatever authorization required to do it. Well, you get the point. :P It's not intended to be perfect. It's intended to make life more difficult for attackers, and to reduce impact of attacks at least a little bit. And motivate lazy networks to fix their broken shit. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
Hi Rob ## On 2002-05-15 16:01 -0500 Rob Thomas typed: RT> On the other hand, you could wonder why it is that the RT> non-geek broadband users must be system, network, and firewall RT> administrators. You might prefer to wonder when home users will start using an OS that doesn't have security holes you can drive a truck through and the default config would at least be semi-secure ... If the home(or at least broadband) users would demand such an OS they *might* just get it ... ;-) RT> RT> Thanks, RT> Rob. Regards, Rafi RT> -- RT> Rob Thomas RT> http://www.cymru.com/~robt RT> ASSERT(coffee != empty); RT> RT> RT>
Re: Arbor Networks DoS defense product
> What about timing? What about breaking up > segements of the network to be scanned by different hosts? Its realy a matter of getting a sizable 'line mine net' up. With dshield, I hope to ultimately have a couple in each AS, probably with some local aggregation. The trick is that you use other people's line mines. It doesn't help you to use your own. Scan & exploit often come in one package so by the time you figure out you are scanned, you probably already lost a few hosts. The trick with distributed (or 'collaborative' as I think it is better called) intrusion detection is that whoever gets scanned first tells everyone else. Also: This has to be automated. Because whoever gets hit first is probably too busy cleaning up to worry about posting all the gorry details on this or any other list. > How many > hits on the linemines constitute blocking? Are you blocking hosts or > networks? up to you... Setting too much of a policy would make the system predictable and vulnerable. (attacker knows: only scan 99 hosts from each zombie...) > Either way, what about dynamic ips? blocking a network will take care of them. Other than that: for a DSL/cable line the IP will not change much, and for a dialup line they would have to hangup&dial a lot to get a good IP distribution. > What about scans done > from different networks other than that which the supposed attacker is > originating from. Well, then these networks are marked as "attackers", which is ok. The can clean up their systems and enjoy full access again. > Its Universitys, unsecured wireless lans, etc. same thing: if you run an unsecured wireless network, maybe you shouldn't have given it access to the net in the first place.
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, PJ wrote: > If it's a crime, someone should have no problem citing the code. If > it's not a crime, than I am guilty of nothing and should have nothing > to fear. Do let us know how your portscans of US military networks goes... > There are always going to be people who are going to probe and poke Are you one of them? -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
CF> Date: Wed, 15 May 2002 18:13:07 -0700 CF> From: Clayton Fiske CF> There is no preset definition of how it has to work. Perhaps CF> it can be evolved enough to where it only triggers when an CF> exploit is attempted, rather than just on a TCP connection. Sounds sorta like the SMTP *BL debate with a new spin. Data exist; how one uses them is a matter of preference. IMHO, landmines would be a very handy way to get a "big picture" view. What threshold triggers what activity is up to the user. I could quickly write a script to find origin ASN of anyone who pings , find all prefixes with that origin ASN, and blackhole them. And it would be a pretty stupid manuever, so I hopefully would know better. I don't see how landmines are any different... one needn't use the feed in a predetermined manner. I think there are more than a few people who can bang out code, or who know those who can, hanging out on here. -- Eddy Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence ~ Date: Mon, 21 May 2001 11:23:58 + (GMT) From: A Trap <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <[EMAIL PROTECTED]>, or you are likely to be blocked.
Re: Arbor Networks DoS defense product
On Wed, May 15, 2002 at 06:25:15PM -0700, PJ wrote: > Granted. However, the suggestion to place said host/network into some > sort of BGP black hole, has it's problems. The community has a whole Keep in mind that this would be a subscription service. It's not as though the route would be announced to the entire net. If you're not comfortable with it, don't use it on your network (or change upstreams, if they're using it). > already has an idea of which networks have an greater precentage of > attacks originating from it, an alert is fine, a pre-emptive strike in > the absence of an actual attack is not. It's not permanent. There clearly would need to be some means of human intervention by which an entry can be removed. At worst, a compromised host is blackholed which will get someone's attention. At best, it is prevented from contributing to attacks. -c
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Clayton Fiske wrote: > On Wed, May 15, 2002 at 06:04:40PM -0700, PJ wrote: > > Sorry for not including nanog in the reply. What about MAPS? They > > routinely scan netblocks without consent. Does this tool > > differenciate between local and non-local scanning? Scanning is > > The tool in question may not even exist yet. There is no preset > definition of how it has to work. Perhaps it can be evolved enough > to where it only triggers when an exploit is attempted, rather > than just on a TCP connection. Granted. However, if it's not yet in existance, these are good questions to be asked now instead of later, no? I would feel much better about it if it was triggered by an exploit, instead of a connection. > > still not a crime and it will still do nothing to deter anyone with > > hostile intentions. This is just a bandaid to avoid taking proper > > security precautions. > > I can take all the proper security precautions and it doesn't stop > third party network A from being exploited and later used to attack > me. The point of this is that it will help identify a specific host > which is scanning many blocks belonging to many different networks. > If they hit several landmines in my network, I might be concerned. > If they hit landmines in my network and 6 others to which I have no > affiliation, the net as a whole might want to know about it. Granted. However, the suggestion to place said host/network into some sort of BGP black hole, has it's problems. The community has a whole already has an idea of which networks have an greater precentage of attacks originating from it, an alert is fine, a pre-emptive strike in the absence of an actual attack is not. > I don't think anyone said this was intended to take the place of > security on their own networks. But I don't see how that aspect > makes this a bad tool on its own either way. Yes, that was perhaps an implication made on my part. However, there are still concerns with the idea that have yet to be addressed. PJ -- Art is a lie which makes us realize the truth. -- Picasso
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Johannes B. Ullrich wrote: > > > > Even more, I would hate to see the advocation of a hostile reaction to > > > what, so far, is not considered a crime. > > I agree. Scanning is no crime. But blocking isn't a crime either. > > Agreed. But this blocking still will do no good. My previous questions still stand. What about timing? What about breaking up segements of the network to be scanned by different hosts? How many hits on the linemines constitute blocking? Are you blocking hosts or networks? Either way, what about dynamic ips? What about scans done from different networks other than that which the supposed attacker is originating from. Universitys, unsecured wireless lans, etc. PJ -- Art is a lie which makes us realize the truth. -- Picasso
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Dan Hollis wrote: > > On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote: > > Even more, I would hate to see the advocation of a hostile reaction to > > what, so far, is not considered a crime. > > Feel free to go portscan some US military and federal interest networks, > then. If it's not a crime, you shouldnt have any problems scanning them. > If it's a crime, someone should have no problem citing the code. If it's not a crime, than I am guilty of nothing and should have nothing to fear. Of course, in the present political climate, that's probably not the case, but it doesn't make it right. However, there is legal precident that port scanning is not illegal. There are always going to be people who are going to probe and poke, as long as there is no direct harm, who cares? Sorry, the days of people sitting in nice straight lines, only doing what you want them to do and only going where you want them to go are not yet upon us. http://online.securityfocus.com/news/126 PJ -- Aaron Gaudio "The fool finds ignorance all around him. The wise man finds ignorance within."
Re: Arbor Networks DoS defense product
On Wed, May 15, 2002 at 06:04:40PM -0700, PJ wrote: > Sorry for not including nanog in the reply. What about MAPS? They > routinely scan netblocks without consent. Does this tool > differenciate between local and non-local scanning? Scanning is The tool in question may not even exist yet. There is no preset definition of how it has to work. Perhaps it can be evolved enough to where it only triggers when an exploit is attempted, rather than just on a TCP connection. > still not a crime and it will still do nothing to deter anyone with > hostile intentions. This is just a bandaid to avoid taking proper > security precautions. I can take all the proper security precautions and it doesn't stop third party network A from being exploited and later used to attack me. The point of this is that it will help identify a specific host which is scanning many blocks belonging to many different networks. If they hit several landmines in my network, I might be concerned. If they hit landmines in my network and 6 others to which I have no affiliation, the net as a whole might want to know about it. I don't think anyone said this was intended to take the place of security on their own networks. But I don't see how that aspect makes this a bad tool on its own either way. -c
Re: Arbor Networks DoS defense product
> > Even more, I would hate to see the advocation of a hostile reaction to > > what, so far, is not considered a crime. I agree. Scanning is no crime. But blocking isn't a crime either.
(fwd) Re: Arbor Networks DoS defense product
Forgot to include nanog - Forwarded message from PJ <[EMAIL PROTECTED]> - > Date: Wed, 15 May 2002 17:50:01 -0700 > From: PJ <[EMAIL PROTECTED]> > Subject: Re: Arbor Networks DoS defense product > To: Clayton Fiske <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > Reply-To: PJ <[EMAIL PROTECTED]> > User-Agent: Mutt/1.3.25i > > On Wed, 15 May 2002, Clayton Fiske wrote: > > > > > On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote: > > > Are you now operating under the premise that scans != anything but the > > > prelude to an attack? Sorry if I missed it earlier in the thread, but > > > I would hate to think any legitimate scanning of a network or host > > > would result in a false positive. Even more, I would hate to see the > > > advocation of a hostile reaction to what, so far, is not considered a > > > crime. > > > > So you can think of a perfectly legitimate reason to scan someone else's > > netblocks on specific TCP ports? > > > > -c > > > > > > Has no one ever tested firewall rules from external networks? The > fact remains is that a scan != an attack. > > PJ > > -- > The worst thing one can do is not to try, to be aware of what one > wants and not give in to it, to spend years in silent hurt wondering > if something could have materialized -- and never knowing. > -- David Viscott
Re: Arbor Networks DoS defense product
On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote: > Even more, I would hate to see the advocation of a hostile reaction to > what, so far, is not considered a crime. Feel free to go portscan some US military and federal interest networks, then. If it's not a crime, you shouldnt have any problems scanning them. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Dan Hollis wrote: > On Wed, 15 May 2002, PJ wrote: > > On Wed, 15 May 2002, Dan Hollis wrote: > > > We are not landmining for DOSing. > > > We are landmining to make it very dangerous for attackers to scan networks > > > and probe hosts. > > Are you now operating under the premise that scans != anything but the > > prelude to an attack? Sorry if I missed it earlier in the thread, but > > I would hate to think any legitimate scanning of a network or host > > would result in a false positive. Even more, I would hate to see the > > advocation of a hostile reaction to what, so far, is not considered a > > crime. > > It would take more than a single landmine hit to get blackholed. Like, duh. Forgive me for daring to ask a question. How many imply bad intent in general practice? 4? 5? 10? Any time limitations? I am sure they are, but I am just curious. Would the paranoid timing setting in nmap trigger it? > Enough hits on a wide sensor net prove bad intentions, as proven by dshield. "Prove?" What exactly is enough hits? Is it dependant on the size of the network? Again, what about the timing factor? All that will happen is anyone with hostile intent will start breaking up networks into smaller chunks to be scanned from different hosts. I don't see it solving the so-called problem of scanning. > I'm suprised at the extremely shallow level of arguments so far against > landmines. I am surpised at the extremely shallow level of thinking that seeks to shift the burden of security maintenace off of the shoulders of those who should be responsible. Would you block just a host or a network? What about dynamic ips? It doesn't take much bandwidth to probe. Blackhole enough of the net and you effectively serve the purpose of DOSing yourself. PJ -- A diplomat is man who always remembers a woman's birthday but never her age. -- Robert Frost
Re: Arbor Networks DoS defense product
On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote: > Are you now operating under the premise that scans != anything but the > prelude to an attack? Sorry if I missed it earlier in the thread, but > I would hate to think any legitimate scanning of a network or host > would result in a false positive. Even more, I would hate to see the > advocation of a hostile reaction to what, so far, is not considered a > crime. So you can think of a perfectly legitimate reason to scan someone else's netblocks on specific TCP ports? -c
Re: Arbor Networks DoS defense product
On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote: > Even more, I would hate to see the advocation of a hostile reaction > to what, so far, is not considered a crime. crime, or art? ;-) http://www.nytimes.com/2002/05/13/arts/design/13ARTS.html -d. --- http://www.monkey.org/~dugsong/
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, PJ wrote: > On Wed, 15 May 2002, Dan Hollis wrote: > > We are not landmining for DOSing. > > We are landmining to make it very dangerous for attackers to scan networks > > and probe hosts. > Are you now operating under the premise that scans != anything but the > prelude to an attack? Sorry if I missed it earlier in the thread, but > I would hate to think any legitimate scanning of a network or host > would result in a false positive. Even more, I would hate to see the > advocation of a hostile reaction to what, so far, is not considered a > crime. It would take more than a single landmine hit to get blackholed. Like, duh. Enough hits on a wide sensor net prove bad intentions, as proven by dshield. I'm suprised at the extremely shallow level of arguments so far against landmines. Well, I guess I shouldnt be suprised -- this *IS* nanog, after all... :P -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Dan Hollis wrote: > > On Wed, 15 May 2002, Rob Thomas wrote: > > ] I don't think spoofing will be a problem for the landmines. Most attacks > > ] (99%?) are tcp. > > Hmm... Not based on my research. The most common attack capabilities in > > the bots are ICMP and UDP flooders. After that, IGMP. Last, TCP. Most > > of the DoS tools contain the same attack types as the bots. > > On the receiving end, upwards of 80% of all the woe I track is not TCP. > > You miss the point of this: > > We are not landmining for DOSing. > > We are landmining to make it very dangerous for attackers to scan networks > and probe hosts. > > -Dan > -- > [-] Omae no subete no kichi wa ore no mono da. [-] > > Are you now operating under the premise that scans != anything but the prelude to an attack? Sorry if I missed it earlier in the thread, but I would hate to think any legitimate scanning of a network or host would result in a false positive. Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime. PJ -- He thought of Musashi, the Sword Saint, standing in his garden more than three hundred years ago. "What is the 'Body of a rock'?" he was asked. In answer, Musashi summoned a pupil of his and bid him kill himself by slashing his abdomen with a knife. Just as the pupil was about to comply, the Master stayed his hand, saying, "That is the 'Body of a rock'." -- Eric Van Lustbader
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Rob Thomas wrote: > ] I don't think spoofing will be a problem for the landmines. Most attacks > ] (99%?) are tcp. > Hmm... Not based on my research. The most common attack capabilities in > the bots are ICMP and UDP flooders. After that, IGMP. Last, TCP. Most > of the DoS tools contain the same attack types as the bots. > On the receiving end, upwards of 80% of all the woe I track is not TCP. You miss the point of this: We are not landmining for DOSing. We are landmining to make it very dangerous for attackers to scan networks and probe hosts. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
Hi, Dan. ] I don't think spoofing will be a problem for the landmines. Most attacks ] (99%?) are tcp. Hmm... Not based on my research. The most common attack capabilities in the bots are ICMP and UDP flooders. After that, IGMP. Last, TCP. Most of the DoS tools contain the same attack types as the bots. On the receiving end, upwards of 80% of all the woe I track is not TCP. Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty);
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Lyndon Nerenberg wrote: > I usually avoid blackhole subscription lists like this. They let > the attacker take out your legitimate peers by spoofing the source. If they can take out your legitimate peers by spoofing end to end TCP connections, then you have got some really enormous problems that need to be addressed. I don't think spoofing will be a problem for the landmines. Most attacks (99%?) are tcp. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Chris Parker wrote: > That's fine until the first person spoofs a scan from 'www.cisco.com' > or 'a.root-servers.net' and *poof* it's now automagically unreachable. Only tcp connections with full handshake would be counted. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
sorry. getting confused by my own tricky url schemes: http://feeds.dshield.org/block.txt On Wed, 2002-05-15 at 17:13, Dan Hollis wrote: > > On 15 May 2002, Johannes B. Ullrich wrote: > > See http://www.dshield.org/block.txt ;-). We are about 24hrs away from > > getting a BGP test feed up. > > Error > >Sorry, the page could not be found. > >Click HERE to return to the DShield.org homepage. > > -Dan > -- > [-] Omae no subete no kichi wa ore no mono da. [-] > >
Re: Arbor Networks DoS defense product
On 15 May 2002, Johannes B. Ullrich wrote: > See http://www.dshield.org/block.txt ;-). We are about 24hrs away from > getting a BGP test feed up. Error Sorry, the page could not be found. Click HERE to return to the DShield.org homepage. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Rob Thomas wrote: > ] scanning would quickly become self defeating as attackers would only > ] manage to cut themselves off from the net. > To some degree, yes. Most of the miscreants are clueful enough not to > scan from their home machines. I disagree. They have to start somewhere. Most miscreants first attack offshore hosts, then use those to attack domestic victims. > The end result is a lot of hacked hosts are black holed. And this is a bad thing? > On one hand you could say "serves 'em right for being hacked!" On the > other hand, you could wonder why it is that the non-geek broadband users > must be system, network, and firewall administrators. They don't. This is purely a response to rogue networks/blackhats and apathetic/irresponsible/toothless NOCs. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
Hi, Dan. ] scanning would quickly become self defeating as attackers would only ] manage to cut themselves off from the net. To some degree, yes. Most of the miscreants are clueful enough not to scan from their home machines. The end result is a lot of hacked hosts are black holed. On one hand you could say "serves 'em right for being hacked!" On the other hand, you could wonder why it is that the non-geek broadband users must be system, network, and firewall administrators. Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty);
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Rob Thomas wrote: > ] It could be very useful as deterrence to know their criteria. > For the low fee of a cool t-shirt or a bit of gear for my lab I'd be > happy to spread rumours about the mad fast honeypot residing within > your prefixes. :) disinformation as a means to raise the level of uncertainty for the attacker, it's classic military tactic. what other military tactics can be used to make life more dangerous for attackers? i've been tossing around an idea for a "land mine network". randomly distributed honeypots around the internet. when X landmines are hit from the same source, that source gets entered into a BGP blackhole feed which anyone can subscribe to. put landmines in popularly targeted networks, maybe even make them randomly move about. there are all sorts of wonderful tactics that could be put to use. scanning would quickly become self defeating as attackers would only manage to cut themselves off from the net. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
Hi, Dan. ] What leads them to believe this? Well folks aren't exactly subtle about their honeypots. Read any of the popular security lists for examples of "Hi! My honeypot was hit last night with blah and blah, here is the sniffer trace..." The underground shares and trades information as well, so some of the miscreants learn from experience or each other which networks respond to attacks, scans, hacking, etc. ] It could be very useful as deterrence to know their criteria. For the low fee of a cool t-shirt or a bit of gear for my lab I'd be happy to spread rumours about the mad fast honeypot residing within your prefixes. :) Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty);
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Rob Thomas wrote: > FYI, the miscreants also _avoid_ certain netblocks in which, > they believe, honeypots and other things reside. What leads them to believe this? It could be very useful as deterrence to know their criteria. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
Hi, Pete. ] With the number of always-on broadband residential and ] small-business customers, are education networks still the The broadband ranges are now quite popular with the miscreants. Several of the bots I've recovered conduct targeted scans of the broadband prefixes. While scanning the entire IPv4 address space - including the bogons - does yield a lot of hax0red hosts, it also produces a lot of noise. FYI, the miscreants also _avoid_ certain netblocks in which, they believe, honeypots and other things reside. When scanning for easily hacked routers, the miscreants target the ranges they believe contain "mad fast routers," e.g. routers with > T1 connectivity. In the case of both hosts and routers, it is increasingly common for the miscreants to test the bandwidth capabilities of the device. The sluggish are left unused by many crews (or traded in the very active underground economy). Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty);
Re: CPE/OC12 Question
On Wed, 15 May 2002, Sonya Blake wrote: > What kind of OC12 CPE devices (routers) are people using out there? > Initially for Internet connectivity, but probably would need to do advance > features, i.e. BGP, etc. Are you referring to an OC12c that you're using as a single 622 Mb/s pipe, or an OC12 that you're bringing into a SONET add/drop mux and breaking out STS-1 slots for DS3s or OC3/OC3c slots? If you're talking about an OC12c, your choices would probably be: Cisco 7600 Cisco 1 Cisco 12xxx Juniper M-series - I think even an M5 could do an OC12c, though I'm not sure. Other offerings by Riverstone, Avici and others that I'm not as familiar with. You can put an OC12c into a Cisco 7200/7500 *in theory* using an OC12c DPT card, but the router will likely crap out long before you come close to saturating the pipe. For a channelized OC12, assuming you want to do the breakouts yourself, you could use pretty much anything that supports channelized OC12 (Cisco 1/12000, Juniper, etc) as long as it can break the slots out the way you want. jms
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Richard A Steenbergen wrote: > It all depends on the networks involved. I'd venture to > say that most people not associated with university > networks see significantly less DoS, more like 1% of > overall traffic for service providers and probably > closer to 0% for end users who aren't IRCing. Some presentations made at recent NANOGs discussed the continuous noise generated by DDoS attacks, though I can't find any numbers showing how much bandwidth the noise uses. With the number of always-on broadband residential and small-business customers, are education networks still the (only) haven of hackers they used to be? Even enterprises seem to be pretty active DDoS participants; there were/are a lot of corporations generating CodeRed probes, and a surprising number of residential machines. Are there any service providers running IDS/NIDS on their backbones and monitoring for DDoS attacks, to provide some impirical data on the scope of DDoS traffic? Pete.
CPE/OC12 Question
What kind of OC12 CPE devices (routers) are people using out there? Initially for Internet connectivity, but probably would need to do advance features, i.e. BGP, etc. Thanks in advance! Sonya Blake Engineer BellSouth.net [EMAIL PROTECTED]
The Art of Peering : The Peering Playbook
Hi all - Folks were talking about Traffic Ratios, Depeering, etc. that reminded me I should probably thank everyone for contributing to the "Tactical Peering" white paper which has now been renamed "The Art of Peering : The Peering Playbook". Thanks to the feedback from folks on this list and at RIPE and the Gigabit Peering Forum I have released version 1.0 of this document and it is available to anyone who would like a copy. Send me e-mail at [EMAIL PROTECTED] with the Subject: Art of Peering and I'll send it back directly, or alternatively you can get it from the Equinix web site. In this paper I asked the Peering Coordinators the question "What do you do if noone answers your peering request at peering@.net ? What are the 'Tricks of the Trade' that distinguish seasoned Peering Coordinators from newbies?" The Summary (below) does the best job of highlighting the techniques detailed in the paper: Summary We have presented 19 peering maneuvers that the Peering Coordinator Community have effectively used to obtain peering. 1) The Direct Approach uses peering@.net , phone calls, face to face meetings, or some such direct interaction to establish peering. 2) The Transit with Peering Migration tactic leverages an internal advocate to buy transit with a contractual migration to peering at a later time. 3) The End Run Tactic minimizes the need for transit by enticing a direct relationship with the target ISP's largest traffic volume customers. 4) In Europe the Dual Transit/Peering separates the peering traffic from the transit traffic using separate interface cards and/or routers. 5) Purchasing Transit Only from Large Tier 2 ISPs is an approach to reduce the risk of being a customer of a potential peer on the road to Tier 1 status. 6) Paid Peering as a maneuver is positioned by some as a stepping stone to peering for those who don't immediately meet the peering prerequisites. 7) In the Partial Transit tactic, the routes learned at an exchange point are exchanged with the peer for a price slightly higher than transport costs. 8) The Chicken tactic involves de-peering in order to make the other peer adjust the peering relationship. 9) In the Traffic Manipulation tactic, ISPs or content players force traffic along the network path that makes peering appear more cost effective. 10) The Bluff maneuver is simply overstating future traffic volumes or performance issues to make peering appear more attractive. 11) The Wide Scale Open Peering Policy as a tactic signals to the Peering Coordinator Community the willingness to peer and therefore increases the likelihood of being contacted for peering by other ISPs. 12) The Massive Colo Build tactic seeks to meet the collocation prerequisites of as many ISPs as possible by building POPs into as many exchange points as possible. 13) The Aggressive Traffic Buildup tactic increases the traffic volume by large scale market and therefore traffic capture to make peering more attractive. 14) Friendship-based Peering leverages contacts in the industry to speed along and obtain peering where the process may not be in place for a peering. 15) The Spam Peering Requests tactic is a specific case of the Wide Scale Open Peering tactic using the exchange point contact lists to initiate peering. 16) Purchasing Legacy Peering provides an immediate set of peering partners. 17) The Bait and Switch tactic leverages a large corporate identity to obtain peering even though ultimately only a small subset or unrelated set of routes are actually announced. 18) The False Peering Outage tactic involves deceiving an ill-equipped NOC into believing a non-existing peering session is down. 19) The Leverage Broader Business Arrangement takes advantage of other aspects of the relationship between two companies to obtain peering in exchange for something else. Thanks again for your help! If there are questions or comments I'd love to hear them; I fully expect this document (like the other white papers) to evolve over time. Bill --- William B. Norton <[EMAIL PROTECTED]> 650.315.8635 Co-Founder and Chief Technical Liaison Equinix, Inc.
Re: Arbor Networks DoS defense product
On Tue, 14 May 2002, Pete Kruckenberg wrote: > Have any large networks gathered statistics on how much > traffic DDoS/DoS/DRDoS attacks consume on an average day? > > The attacks I have been able to detect represent around > 10-15% of my traffic on an on-going basis. > > I'm curious about the business case for investing in DoS > defense mechanisms. DoS traffic is boosting service provider > revenues through increased customer bandwidth usage. I disagree. If many of your customers have flat-rate as opposed to burstable connectivity, such as a full point-to-point T1 or a dedicated 10 meg switch port to host a colo box, the revenue you derive from those customers doesn't change regardless of how much/how little traffic your network carries for them. If your customers have burstable connectivity, their bill only goes up if you have mechanisms in place to do those calculations - I'll hazard a guess that many providers don't. I would argue that in many cases a service provider loses revenue due to DoS traffic - network performance/availability can be impacted as your network absorbs a DoS attack and your NOC/network engineers/security people have to spend cycles analyzing (calling vendors, upstreams, etc) and dampening the attack. Both of these impact windows have costs associated with them. I haven't done any formal ROI calculations on Arbor or any of the other DoS defense products out there. However, from my viewpoint, I'd be willing to bet that if/once my NOC/network engineers/security people are properly trained on how to handle a DoS attack, anything that allows me to shrink those impact windows, e.g. reduce my costs related with dealing with an attack, is a good thing. > So the investment in defense mechanisms like Arbor would have to > replace or increase that revenue. Will these issues inhibit > wide-spread implementation of DoS defenses? That depends on how those products are priced, how well they're marketed, and of course, how effective they are in helping to stop DoS attacks. jms
RE: Arbor Networks DoS defense product
Title: RE: Arbor Networks DoS defense product Is it common practice to place your own equipment at the ISP? My thought is that if we are able to have our own routers at the ISP, we'd be in a better position to mitigate the effects of a DDOS. As long as the stream of traffic does not adversely affect our routers from performing properly at the ISP, we can then mitigate the effects through access-lists, QOS, etc. That is if the attack is not too distributed, where the source IPs with the highest amount of syn traffic for example can be easily identified. Rick Cheung NPI IT Wan Team, CCNP -Original Message- From: Pete Kruckenberg [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 2:15 AM To: [EMAIL PROTECTED] Subject: Re: Arbor Networks DoS defense product On Wed, 15 May 2002, Rubens Kuhl Jr. wrote: > If and when > (a) customers don't get exemption for attack traffic > (b) the DoS traffic occurs more than 5% (or 1 - your percentile level) of > the month per customer circuit > (c) the DoS increases bytes transferred like large ICMP packet flood; this > is not the case for all DoS traffic, which can be a bunch of small packets > that actually decreases traffic These might apply to noticeable DoS attacks that occur as specific events. But how much (D)DoS traffic goes unnoticed by the average customer because it's too tough to detect or defend against? The 10% I've measured on my network is primarily reflected DDoS (reflected off my customers, to off-net targets), which is not trivial to detect or defend against. Pete.
Re: Arbor Networks DoS defense product
Hi, folks. Ah, you know when you mention DDoS too frequently I'm bound to post. :) ] specific events. But how much (D)DoS traffic goes unnoticed ] by the average customer because it's too tough to detect or ] defend against? The 10% I've measured on my network is Valid concern. I tracked five groups of miscreants, each with a botnet, and recorded well over 100 DDoS attacks in a single 24 hour period. These were the attacks that were obvious, e.g. the attack was coordinated or discussed in channel, with the results often pasted into the channel as well (IRC ping timeouts, traceroutes, pings, HTTP gets, etc.). How many privately discussed attacks did I not log? In the underground DoS is ubiquitous and quite frequent. The miscreant without a botnet or DoSnet is generally in the active pursuit of one or both. In fact, if you see a sudden upsurge in scans for a particular port (Sub7, FTP, NetBIOS shares), this is often the result of a botnet or DoSnet harvest. Many of the DoS tools and bots are specifically written to generate seemingly legitimate traffic. These tools do not spoof the source IP. Some will generate a surfeit of sockets to a web server; this won't appear as anomolous traffic, particularly if there is no flow analysis on the network. It isn't clear to me how the various anti-DDoS tools (Captus, Arbor, Riverhead, et al.) will deal with a surfeit of legitimate traffic, though Mazu may have some chance of fingerprinting this traffic (it is essentially an anomoly detector). N.B.: I've not tested any of these devices. Many edge networks do not run any sort of flow collection and analysis tool. They have no idea what is hitting their site, but they know it is causing woe. They call their ISP and expect them to deduce the naughty flows. Some ISPs are incapable of analyzing the flows as well. It's a real mixed bag. I would argue that there are other things that can be done at the edge to mitigate the present effect of DoS (measured or unmeasured). Anti- spoofing does help. In one study I conducted of an oft-DoS'd site, 60% of the naughty packets had _obvious_ bogon source addresses. The percentage of spoofing was difficult to deduce, though it may have been quite a bit higher than 60%. Why send such packets through an anti-DDoS device? It's a waste of cycles. Ah, but you've heard this from me before, so I'll spare you the rave. :) What percentage of all Internet traffic is DoS? Unclear. Until the data is gathered, it can not be analyzed, and the data is rarely collected. Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty);
Re: Arbor Networks DoS defense product
On Wed, May 15, 2002 at 12:14:35AM -0600, Pete Kruckenberg wrote: > > These might apply to noticeable DoS attacks that occur as specific > events. But how much (D)DoS traffic goes unnoticed by the average > customer because it's too tough to detect or defend against? The 10% > I've measured on my network is primarily reflected DDoS (reflected off > my customers, to off-net targets), which is not trivial to detect or > defend against. It all depends on the networks involved. I'd venture to say that most people not associated with university networks see significantly less DoS, more like 1% of overall traffic for service providers and probably closer to 0% for end users who aren't IRCing. At any rate, you are also in the very special case of being the one used to do the attacks rather than the one being attacked. Again, you really have to have university networks involved to see those numbers. In non DDoS cases, particularly your classic bandwidth floods, the source feels the attack as badly as the victim. That is less the case today, with targetted attacks (your network MAY fall over routing 100kpps, but it is far more likely to fall over if those 100kpps are directed at your routers) and DDoS reducing the amount of power that any given source must use. Remember that the original point of DDoS was to prevent the sources from noticing (and thus shutting down the compromised machines) by using 10 networks at 10% instead of 1 at 100%. Today, you often see targetted high pps low bandwidth attacks which actually bring down traffic (these *are* supposed to be denial of service attacks after all :P) instead of raising it. But as for your case... Attacks directed at you and attacks directed from you are sometimes the same thing and sometimes different, and I think most people see money to be made in the former. Personally I would rather have to deal with the latter, because there is something I can easily do about it. For the sake of the rest of us, PLEASE go fix your network so that we don't have to deal with your attacks. I'm still recommending rate limiting your outbound RSTs either on the webservers themselves (which a good OS should do), or on the routers. :) -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)