Re: Multi ISP DDOS
On Thu, 4 May 2006, Martin Hannigan wrote: I hate to be the bearer of bad news to spammers :) but based on bluesecurity's tactics I can make a guess about attitude of their people and its such that DoS attack on them will only cause them more determination to continue and I suspect to majority of their users as well (and publicity is also likely to bring them more users). Moving the site to TypePad was incorrect way of dealing with attack though; but its actually not the first time I've heard of the site using a blog as temporary page while their primary site is down due to DoS... - some education on what blogs are good for is in order. But as it is looks like bluesecurity is moving to prolexic which claim to deal with just such situations. I hate to be the bearer of bad news to BS' VC's, but BS moving their DNS to UltraDNS and hosting to Prolexic was likely not part of the business plan. They ain't cheap. The spammers can now theoretically force them to spend all time and all their money responding to attacks. You know quite well that if they continue dos for too long law-enforcement would finally get interested... Now I really don't know UDNS and Prolexic prices but I have a feeling those hosting fees would be far from being their biggest expense. So I have to disagree with you that is what could bring them down, though I agree that as usual a lot depends on if their VCs want all this going - I just don't think hosting fees will be major reason for such a decision (unless BS self-funded which I doubt). The killer here is that they asked a lot of people a year ago whether this was a good idea and everyone said no. Yep and they were all right. Spammers: 2 Blue Security: 0 NANOG: -2 (vigilante time sink) Its more like: Spammers: -2 Blue Security: -1 Nanog: 0 (talk is cheap but results are...) -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Multi ISP DDOS
At 11:15 AM 5/3/2006, John Levine wrote: Uh. Who let the Frog out? http://www.wired.com/news/technology/internet/0,70798-0.html?tw=rss .technology It's all explained here: http://weblog.johnlevine.com/2006/05/03 And this just hit wires with quotes from Renesys and SANS ISC. http://www.infoworld.com/article/06/05/04/78074_HNbluesecurityddos_1.html -M -- Martin Hannigan(c) 617-388-2663 Renesys Corporation(w) 617-395-8574 Member of Technical Staff Network Operations [EMAIL PROTECTED]
Re: Multi ISP DDOS
On Thu, 4 May 2006, Martin Hannigan wrote: At 11:15 AM 5/3/2006, John Levine wrote: Uh. Who let the Frog out? http://www.wired.com/news/technology/internet/0,70798-0.html?tw=rss .technology It's all explained here: http://weblog.johnlevine.com/2006/05/03 And this just hit wires with quotes from Renesys and SANS ISC. http://www.infoworld.com/article/06/05/04/78074_HNbluesecurityddos_1.html I hate to be the bearer of bad news to spammers :) but based on bluesecurity's tactics I can make a guess about attitude of their people and its such that DoS attack on them will only cause them more determination to continue and I suspect to majority of their users as well (and publicity is also likely to bring them more users). Moving the site to TypePad was incorrect way of dealing with attack though; but its actually not the first time I've heard of the site using a blog as temporary page while their primary site is down due to DoS... - some education on what blogs are good for is in order. But as it is looks like bluesecurity is moving to prolexic which claim to deal with just such situations. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Multi ISP DDOS
At 07:16 PM 5/4/2006, william(at)elan.net wrote: On Thu, 4 May 2006, Martin Hannigan wrote: At 11:15 AM 5/3/2006, John Levine wrote: Uh. Who let the Frog out? http://www.wired.com/news/technology/internet/0,70798-0.html?tw=r ss .technology It's all explained here: http://weblog.johnlevine.com/2006/05/03 And this just hit wires with quotes from Renesys and SANS ISC. http://www.infoworld.com/article/06/05/04/78074_HNbluesecurityddos_1.html I hate to be the bearer of bad news to spammers :) but based on bluesecurity's tactics I can make a guess about attitude of their people and its such that DoS attack on them will only cause them more determination to continue and I suspect to majority of their users as well (and publicity is also likely to bring them more users). Moving the site to TypePad was incorrect way of dealing with attack though; but its actually not the first time I've heard of the site using a blog as temporary page while their primary site is down due to DoS... - some education on what blogs are good for is in order. But as it is looks like bluesecurity is moving to prolexic which claim to deal with just such situations. I hate to be the bearer of bad news to BS' VC's, but BS moving their DNS to UltraDNS and hosting to Prolexic was likely not part of the business plan. They ain't cheap. The spammers can now theoretically force them to spend all time and all their money responding to attacks. The killer here is that they asked a lot of people a year ago whether this was a good idea and everyone said no. Read John Levine's blog and pointer to a few of his previous articles. He wasn't the only person they asked. There's a WHOLE lot more to this than is public. Spammers: 2 Blue Security: 0 NANOG: -2 (vigilante time sink) -M -- Martin Hannigan(c) 617-388-2663 Renesys Corporation(w) 617-395-8574 Member of Technical Staff Network Operations [EMAIL PROTECTED]
Re: Multi ISP DDOS
On Thu, May 04, 2006 at 08:21:04PM -0400, Martin Hannigan wrote: The killer here is that they asked a lot of people a year ago whether this was a good idea and everyone said no. Agreed. It's just the latest in the series of fiascos that we've seen when people try to respond to abuse with abuse. It doesn't work, it's not going to work, and the most likely outcome of any attempt to make it work will be yet another illustration of the law of unintended consequences. (e.g. Lycos' MakeLoveNotSPam) Not to mention that furnishing useful intelligence to the enemy (which BS does by design) is a poor strategy. ---Rsk
Re: Multi ISP DDOS
Martin Hannigan wrote: At 10:11 PM 5/2/2006, Richard A Steenbergen wrote: On Tue, May 02, 2006 at 06:40:43PM -0700, Tim Pozar wrote: UL is seeing a large DDOS coming towards a couple of customers of ours. I know that other ISPs have been affected as well. I will let them identify them selves. Anyone have any scoop on this? A) I don't think anyone knows who UL is by that reference alone (I assume you mean united layer). B) The DoS target is Livejournal. C) As an upstream of an upstream of LJ I'm barely seeing 150Mbps or so of it. No indications of exactly how big it is by the time it hits them, but at least from my perspective it doesn't seem like a huge attack. Hope it stops soon though, a sustained livejournal outage is probably grounds for at least 4-5 suicides by distraught teenagers who can't blog about their day. :) Add in the Blue Security DDOS. NSP-SEC must be busy defending DDoS'ers tonight keeping them from helping people defend LiveJournal. Uh. Who let the Frog out? http://www.wired.com/news/technology/internet/0,70798-0.html?tw=rss.technology Blue Security's solution to their DOS was to point their www to their Typepad-hosted blog. apogee:/home/pedro host www.bluesecurity.com www.bluesecurity.com is a nickname for bluesecurity.blogs.com bluesecurity.blogs.com has address 204.9.178.61 apogee:/home/pedro whois -h whois.arin.net 204.9.178.61 OrgName:SIX APART LTD OrgID: SAL-48 [...] How's that for honorable comportment. We're getting slammed so we're gonna make it someone else's problem(and not give them a heads up). -- Peter Wohlers
Re: Multi ISP DDOS
At 11:52 AM 5/3/2006, Peter Wohlers wrote: Martin Hannigan wrote: At 10:11 PM 5/2/2006, Richard A Steenbergen wrote: On Tue, May 02, 2006 at 06:40:43PM -0700, Tim Pozar wrote: UL is seeing a large DDOS coming towards a couple of customers of ours. I know that other ISPs have been affected as well. I will let them identify them selves. Anyone have any scoop on this? A) I don't think anyone knows who UL is by that reference alone (I assume you mean united layer). B) The DoS target is Livejournal. C) As an upstream of an upstream of LJ I'm barely seeing 150Mbps or so of it. No indications of exactly how big it is by the time it hits them, but at least from my perspective it doesn't seem like a huge attack. Hope it stops soon though, a sustained livejournal outage is probably grounds for at least 4-5 suicides by distraught teenagers who can't blog about their day. :) Add in the Blue Security DDOS. NSP-SEC must be busy defending DDoS'ers tonight keeping them from helping people defend LiveJournal. Uh. Who let the Frog out? http://www.wired.com/news/technology/internet/0,70798-0.html?tw=rss.technology Blue Security's solution to their DOS was to point their www to their Typepad-hosted blog. apogee:/home/pedro host www.bluesecurity.com www.bluesecurity.com is a nickname for bluesecurity.blogs.com bluesecurity.blogs.com has address 204.9.178.61 apogee:/home/pedro whois -h whois.arin.net 204.9.178.61 OrgName:SIX APART LTD OrgID: SAL-48 [...] How's that for honorable comportment. We're getting slammed so we're gonna make it someone else's problem(and not give them a heads up). Like Lycos MLNS, I predict we'll see random infrastructure obfuscation, route changes, hardware moves, etc. and ultimately the end of BS. If not today, perhaps soon. It's interesting to watch the equivalent of the battle of Omaha Beach between two sets of miscreants, one legitimized by some on nsp-sec, and one legitimized by a commercial DDoS service. -M
Multi ISP DDOS
UL is seeing a large DDOS coming towards a couple of customers of ours. I know that other ISPs have been affected as well. I will let them identify them selves. Anyone have any scoop on this? Tim -- 1978 45th Ave / San Francisco CA 94116 / USA // POTS: +1 415 665 3790 GPG Fingerprint: 4821 CFDA 06E7 49F3 BF05 3F02 11E3 390F 8338 5B04 Life is playful - Ben Olizar begin:vcard fn:Tim Pozar n:Pozar;Tim org:UnitedLayer LLC adr:Suite 110;;200 Paul Avenue;San Francisco;CA;94124-3100;US email;internet:[EMAIL PROTECTED] title:COO tel;work:415-349-2112 tel;home:415-665-3790 tel;cell:415-637-8512 note:Be who you are and say what you feel because the people who mind don't matter and the people who matter don't mind. - Dr. Seuss url:http://www.unitedlayer.com version:2.1 end:vcard
Re: Multi ISP DDOS
Richard A Steenbergen wrote: On Tue, May 02, 2006 at 06:40:43PM -0700, Tim Pozar wrote: UL is seeing a large DDOS coming towards a couple of customers of ours. I know that other ISPs have been affected as well. I will let them identify them selves. Anyone have any scoop on this? A) I don't think anyone knows who UL is by that reference alone (I assume you mean united layer). B) The DoS target is Livejournal. C) As an upstream of an upstream of LJ I'm barely seeing 150Mbps or so of it. No indications of exactly how big it is by the time it hits them, but at least from my perspective it doesn't seem like a huge attack. Hope it stops soon though, a sustained livejournal outage is probably grounds for at least 4-5 suicides by distraught teenagers who can't blog about their day. :) Ya... I have been chatting with the folks at SixApart about this. This is one of the folks attacked. It looks like there may have been others. Tim -- 1978 45th Ave / San Francisco CA 94116 / USA // POTS: +1 415 665 3790 GPG Fingerprint: 4821 CFDA 06E7 49F3 BF05 3F02 11E3 390F 8338 5B04 Life is playful - Ben Olizar begin:vcard fn:Tim Pozar n:Pozar;Tim org:UnitedLayer LLC adr:Suite 110;;200 Paul Avenue;San Francisco;CA;94124-3100;US email;internet:[EMAIL PROTECTED] title:COO tel;work:415-349-2112 tel;home:415-665-3790 tel;cell:415-637-8512 note:Be who you are and say what you feel because the people who mind don't matter and the people who matter don't mind. - Dr. Seuss url:http://www.unitedlayer.com version:2.1 end:vcard
Re: Multi ISP DDOS
At 10:11 PM 5/2/2006, Richard A Steenbergen wrote: On Tue, May 02, 2006 at 06:40:43PM -0700, Tim Pozar wrote: UL is seeing a large DDOS coming towards a couple of customers of ours. I know that other ISPs have been affected as well. I will let them identify them selves. Anyone have any scoop on this? A) I don't think anyone knows who UL is by that reference alone (I assume you mean united layer). B) The DoS target is Livejournal. C) As an upstream of an upstream of LJ I'm barely seeing 150Mbps or so of it. No indications of exactly how big it is by the time it hits them, but at least from my perspective it doesn't seem like a huge attack. Hope it stops soon though, a sustained livejournal outage is probably grounds for at least 4-5 suicides by distraught teenagers who can't blog about their day. :) Add in the Blue Security DDOS. NSP-SEC must be busy defending DDoS'ers tonight keeping them from helping people defend LiveJournal. Uh. Who let the Frog out? http://www.wired.com/news/technology/internet/0,70798-0.html?tw=rss.technology -- Martin Hannigan(c) 617-388-2663 Renesys Corporation(w) 617-395-8574 Member of Technical Staff Network Operations [EMAIL PROTECTED]
