Re: Counter DoS
On Wed, 10 Mar 2004, Joshua Brady wrote: > > http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm > Comments? This is not really a comment about this article. But I really think it would have been better if people don't just put the link and then say "comments" but actually posted most important part of the article. In this case it should have been mentioned that is another article about Symbiot (remember thread about it just last week) and their threatened counter-strike anti-dos system... Here ared some quotes from this article: Symbiot launches DDoS counter-strike tool Munir Kotadia ZDNet UK March 10, 2004, e5:15 GMT ... In advance of the product launch, Symbiot's president, Mike Erwin, and its chief scientist, Paco Nathan, have outlined a set of "rules of engagement for information warfare" ... The company said it bases its theory on the military doctrine of "necessity and proportionality", which means the response to an attack is proportionate to the attack's ferocity. According to the company, a response could range from "profiling and blacklisting upstream providers" or it could be escalated to launch a "distributed denial of service counter-strike" ... Governments could soon be using hacker tools for law enforcement and the pursuit of justice, according to an expert on IT and Internet law. Joel Reidenberg, professor of law at New York-based Fordham University, believes it likely that denial of service attacks (DoS) and packet-blocking technology will be employed by nation states to enforce their laws. This could even include attacks on companies based in other countries, he says. To be fair I choose specific parts of the article and it does list views and concern of some security experts ... Security experts expressed alarm at the company's plans. Graham Titterington, principal analyst at Ovum, said "such a counterattack wo,ld not be regarded as self-defence and would therefore be an attack. It would be illegal in those jurisdictions where an anti-hacking law is in place. " He added that because many hacking and DDoS attacks are launched from hijacked computers, the system would be unlikely to find its real target: "Attacks are often launched from a site that has been hijacked, making it an unwitting and innocent -- although possibly slightly negligent -- party." Richard Starnes, director of incident response at Cable and Wireless Managed Security Services, said he would not employ an "active defence technique" because there are legal and ethical issues involved. Also, he would not be happy about any product "specifically designed to launch attacks" being put into commercial production. Starnes said it would be easy to hit the wrong target and even if it was the right target, there could be collateral damage: "You may be taking out grandma's computer in Birmingham that has got a 100-year-old cookie recipe that has not been backed up. The attack could also knock over a Point of Presence (PoP), so you are not only attacking the target, but also the feeds before them -- this means taking out ISPs, businesses and home users."
RE: Counter DoS
> The company said it bases its theory on the military doctrine of > "necessity and proportionality", which means the response to > an attack is > proportionate to the attack's ferocity. According to the > company, a response could range from "profiling and > blacklisting upstream providers" or it > could be escalated to launch a "distributed denial of service > counter-strike" ... Their ROE white paper is full of pseudo-military phraseology that suggests lots of safeguards in place to respond only to verifiably culpable adversaries and to ensure responsible executive oversight.right up to the point when they start talking about distributed denial of service counterattacks (under the heading which they refer to as "assymmetric measures"). I wonder, are they planning to launch these DDoS attacks from compromised hosts belonging to unwitting accomplices like the bad guys do? Or by enlisting the computing resources of all Symbiot customers (i.e., if customer A gets attacked, hosts at customers B, C, and D are employed in the retailiation)? I'm assuming they use the term "distributed" advisedly. Either way, it sounds illegal by design.
RE: Counter DoS
On Wed, 10 Mar 2004, Mark Borchers wrote: > > > The company said it bases its theory on the military doctrine of > > "necessity and proportionality", which means the response to > > an attack is > > proportionate to the attack's ferocity. According to the > > company, a response could range from "profiling and > > blacklisting upstream providers" or it > > could be escalated to launch a "distributed denial of service > > counter-strike" ... > > Their ROE white paper is full of pseudo-military phraseology > that suggests lots of safeguards in place to respond only to > verifiably culpable adversaries and to ensure responsible > executive oversight.right up to the point when they > start talking about distributed denial of service counterattacks > (under the heading which they refer to as "assymmetric measures"). hopefully they will spend their time attacking that pesky attacker: 127.0.0.1... he's always attacking customers, shouldn't he have been caught by now?
Re: Counter DoS
On Wed, 10 Mar 2004, Steven M. Bellovin wrote: > In message <[EMAIL PROTECTED]>, "Joshua Brady" writes: > > > >http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm > > > >Comments? > > The phrase "seriously bad idea" comes to mind. Other phrases include > "illegal", "collateral damage", and "stupid". Any publicity is good publicity. They haven't actually explained or shown what their product does. Just a bunch of puffery to get the press to write about them. In the 1990's another company announced their new security product: "Sidewinder: The firewall that strikes back!" at the National Computer Security Conference in Baltimore. Sidewinder used lots of information warfare quotes from Winn Schwartau and ex-military types staffing their sales suite. I wouldn't be surprised when they finally reveal their product it is a lot less than the hype. Right now its a bit like a movie the movie studio won't give the critics an advanced screening, but has a big advertising budget. Usually that is a sign of a stinker.
Re: Counter DoS
I remember the sidewinder. They had a huge marketing campaign aimed at convincing the customer that their firewalls were inpenetrable. Their firewalls didn't sell all that well, and those that did sell, proved to be a colossal failure. I still have a deck of 'sidewinder' playing cards from COMDEX. (Sorry for being off topic, just thought that was funny and brought back some nostalgia) Greg Sean Donelan wrote: On Wed, 10 Mar 2004, Steven M. Bellovin wrote: In message <[EMAIL PROTECTED]>, "Joshua Brady" writes: http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm Comments? The phrase "seriously bad idea" comes to mind. Other phrases include "illegal", "collateral damage", and "stupid". Any publicity is good publicity. They haven't actually explained or shown what their product does. Just a bunch of puffery to get the press to write about them. In the 1990's another company announced their new security product: "Sidewinder: The firewall that strikes back!" at the National Computer Security Conference in Baltimore. Sidewinder used lots of information warfare quotes from Winn Schwartau and ex-military types staffing their sales suite. I wouldn't be surprised when they finally reveal their product it is a lot less than the hype. Right now its a bit like a movie the movie studio won't give the critics an advanced screening, but has a big advertising budget. Usually that is a sign of a stinker.
Re: Counter DoS
After reading that article, if this product really is capable of 'counter striking DDoS attacks', my assumption is that it will fire packets back at the nodes attacking it. Doing such an attack would not be neither feasible or legal. You would only double the affect that the initial attack caused to begin with, plus you would be attacking hacked machines and not the culprit themselves, thus pouring gasoline all over an already blazing inferno. This product is a bad bad idea and anyone who invests money into it should slap themselves very hard with a metal gauntlet for being so gullible. Greg In message <[EMAIL PROTECTED]>, "Joshua Brady" writes: http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm Comments?
Re: Counter DoS
On Wed, 10 Mar 2004, Gregory Taylor wrote: > After reading that article, if this product really is capable of > 'counter striking DDoS attacks', my assumption is that it will fire > packets back at the nodes attacking it. Doing such an attack would not > be neither feasible or legal. You would only double the affect that the > initial attack caused to begin with, plus you would be attacking hacked > machines and not the culprit themselves, thus pouring gasoline all over > an already blazing inferno. On the other hand, they could become immensely popular, reaching the critical mass when one of them detects what is interpreted as an attack from a network protected by another. Grab the popcorn and watch as they all bludgeon each other to death. :-) -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
Re: Counter DoS
Oh yes, lets not forget the fact that if enough sites have this 'firewall' and one of them gets attacked by other sites using this firewall it'll create a nuclear fission sized chain reaction of looping Denial of Service Attacks that would probably bring most major backbone providers to their knees. (Popcorn's in the microwave as I speak) Greg Jay Hennigan wrote: On Wed, 10 Mar 2004, Gregory Taylor wrote: After reading that article, if this product really is capable of 'counter striking DDoS attacks', my assumption is that it will fire packets back at the nodes attacking it. Doing such an attack would not be neither feasible or legal. You would only double the affect that the initial attack caused to begin with, plus you would be attacking hacked machines and not the culprit themselves, thus pouring gasoline all over an already blazing inferno. On the other hand, they could become immensely popular, reaching the critical mass when one of them detects what is interpreted as an attack from a network protected by another. Grab the popcorn and watch as they all bludgeon each other to death. :-)
Re: Counter DoS
On Thursday, March 11, 2004 2:43 AM [EST], Jay Hennigan <[EMAIL PROTECTED]> wrote: > > On the other hand, they could become immensely popular, reaching the > critical mass when one of them detects what is interpreted as an attack > from a network protected by another. Grab the popcorn and watch as they > all bludgeon each other to death. :-) Sounds like efnet channel wars on a much more interesting scale. Like I've said in previous posts - do we really want these people having tools like this? Doesn't this make them the equivelant of 'script kiddies'? How the hell could a company put something like this out, and expect not to get themselves sued to the moon and back when it fires a shot at an innocent party? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: Counter DoS
On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <[EMAIL PROTECTED]> wrote: > > Sounds like efnet channel wars on a much more interesting scale. > > Like I've said in previous posts - do we really want these people having > tools like this? Doesn't this make them the equivelant of 'script kiddies'? > > How the hell could a company put something like this out, and expect not to > get themselves sued to the moon and back when it fires a shot at an innocent > party? I hit send way to fast, heh. Whats going to happen when they find a nice little exploit in these buggers (even if they have anti-spoof stuff in them) that allows the kids to take control of them or trick them into attacking innocents? Instead of thousands of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use the current trojans? No product is 100% secure (especially not something that runs under Windows, but thats another issue), so how are they going to deliver updates? Or make sure that the thing is configured right? I could see blacklists (BGP based) cropping up of these systems, so that you can filter these networks from ever being able to come near your network. This is starting to sound more and more like a nuclear arms race - on one side we have company a, on the other company b. Company A fears that B will attack it, so they get this super dooper nuclear strike system. Company B follows suit and sets one up as well. Both then increase their bandwidth, outdoing the other until finally, script kiddie comes along, and spoofs a packet from A to B, and B attacks A, and A responds with its own attack. ISPs hosting the companies fall flat on their face from the attack, the backbone between the two ISPs gets lagged to death, and stuff starts griding to a halt for others caught in the crossfire. So, and who thinks that this is a good idea? :) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: Counter DoS
My mom likes the idea, she thinks it'll help her get her hotmail faster. (shrugs) Brian Bruns wrote: On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <[EMAIL PROTECTED]> wrote: Sounds like efnet channel wars on a much more interesting scale. Like I've said in previous posts - do we really want these people having tools like this? Doesn't this make them the equivelant of 'script kiddies'? How the hell could a company put something like this out, and expect not to get themselves sued to the moon and back when it fires a shot at an innocent party? I hit send way to fast, heh. Whats going to happen when they find a nice little exploit in these buggers (even if they have anti-spoof stuff in them) that allows the kids to take control of them or trick them into attacking innocents? Instead of thousands of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use the current trojans? No product is 100% secure (especially not something that runs under Windows, but thats another issue), so how are they going to deliver updates? Or make sure that the thing is configured right? I could see blacklists (BGP based) cropping up of these systems, so that you can filter these networks from ever being able to come near your network. This is starting to sound more and more like a nuclear arms race - on one side we have company a, on the other company b. Company A fears that B will attack it, so they get this super dooper nuclear strike system. Company B follows suit and sets one up as well. Both then increase their bandwidth, outdoing the other until finally, script kiddie comes along, and spoofs a packet from A to B, and B attacks A, and A responds with its own attack. ISPs hosting the companies fall flat on their face from the attack, the backbone between the two ISPs gets lagged to death, and stuff starts griding to a halt for others caught in the crossfire. So, and who thinks that this is a good idea? :)
Re: Counter DoS
http://www.symbiot.com/media/iwROE.pdf The Symbiot whitepaper on their service describes a process with a little more imagination and use than simply flooding attacking nodes with packets. It describes a process which appears to require human intervention through an Operations Center to aid in tracking down offending nodes and notifying the offenders service providers prior to an deployment of active defenses. That being said, it also specifically mentions "distributed denial of service counterattacks" as a not quite so last resort, and possibly automated response gesture for multiple identified offenders with whom intervention from service providers and other authorities has not been forth coming. I applaud the idea of a outsourced department that will manage the denial of service, and "hordes of script kiddie" (nod to Ranum) problems that plague modern networks. Anything that keeps me from being distracted from more interesting lines of thought, rather than constantly following up on outside nuisances is a Good Thing (tm). However, the deployment of "active defenses" in response to a failure of service providers to adequately secure their egress and ingress points is not a choice any reasonable person would make. Vigilante justice might be rewarding in the short term, but I choose not to leave the judgment of friend and foe in the hands of someone with large amounts of bandwidth at the tips their itchy trigger fingers. James Baldwin WorldWide Technology, Services, and Operations Operations Center Electronic Arts, Inc.
Re: Counter DoS
On Thu, 11 Mar 2004, Baldwin, James wrote: > I applaud the idea of a outsourced department that will manage the > denial of service, and "hordes of script kiddie" (nod to Ranum) problems > that plague modern networks. Anything that keeps me from being > distracted from more interesting lines of thought, rather than > constantly following up on outside nuisances is a Good Thing (tm). There are hundreds of managed security providers which happily take your money, analyze your firewall and other security logs, monitor "underground" sources, notify service providers on your behalf, etc. There a many "black lists" operated by for-profit and non-profit organizations which will block not only the compromised computer, but also hundreds of other computers to "get the attention" of people. Most are reputable. But the security industry is full of puffery like home alarm companies promising their customers "armed response." "Armed response" may be armed, but its doubtful they will go charging into your house with guns blazing when your house alarm goes off. This company's P.R. firm has succeeded in getting people talking about a company without a released product. I suspect when they finally do release their product, it will be much less than the hype. Perhaps people could recommend some managed security firms with good reputations. Unfortunately, the best ones also seem rather dull. They understand there are no magic solutions and don't pretend to have "secret sauce." It just basic hard work.
Re: Counter DoS
> The Symbiot whitepaper on their service describes a process with a > little more imagination Like hooking it up to DARPA Grand Challenge winners? http://abcnews.go.com/sections/SciTech/WorldNewsTonight/robot_race_darpa_040310-1.html > I applaud the idea of a outsourced department that will manage the > denial of service, and "hordes of script kiddie" trouble with sending a droid round to kick ass is you've just made Skynet V0.1 brandon
Re: Counter DoS
At 09:43 AM 11-03-04 +, Brandon Butterworth wrote: > The Symbiot whitepaper on their service describes a process with a > little more imagination Like hooking it up to DARPA Grand Challenge winners? http://abcnews.go.com/sections/SciTech/WorldNewsTonight/robot_race_darpa_040310-1.html They recently revised the rules downward: http://www.wired.com/news/technology/0,1282,62608,00.html?tw=wn_tophead_3 > I applaud the idea of a outsourced department that will manage the > denial of service, and "hordes of script kiddie" trouble with sending a droid round to kick ass is you've just made Skynet V0.1 But: http://www.wired.com/wired/archive/12.03/robot.html ...which has the classic Battlebots line of "Can you drive over a competitor's vehicle? "I wouldn't describe running over another vehicle as incidental contact," says Negron. "What if it is a carefully navigated maneuver?" the guy asks. Negron shakes his head. "No."" :-) -Hank brandon
RE: Counter DoS
>I wonder, are they planning to launch these DDoS attacks from >compromised hosts belonging to unwitting accomplices like the >bad guys do? Could they be the people behind NetSky? We know now that Bagle and MyDoom come from spammer gangs but I haven't heard if anyone has identified a motive behind Netsky yet. I suppose that Symbiot is the logical next step. Now that there is a market for compromised hosts to build distributed networks for DoS, DNS, or anonymous hosting the logical next step is for a legitimate company (or semi-legitimate) to step into that market and try to dominate it. If the ISP and the vendor community won't work together to build the tools and systems needed to identify and block DDoS emitters then this is the inevitable result. If it goes much further then ISPs risk being sued for blocking DDoS because they will also be blocking somebody's revenue stream as well. --Michael Dillon
Re: Counter DoS
At 02:25 AM 3/11/2004, Gregory Taylor wrote: After reading that article, if this product really is capable of 'counter striking DDoS attacks', my assumption is that it will fire packets back at the nodes attacking it. Doing such an attack would not be neither feasible or legal. You would only double the affect that the initial attack caused to begin with, plus you would be attacking hacked machines and not the culprit themselves, thus pouring gasoline all over an already blazing inferno. Plus imagine an attack originates behind one of these devices for some reason attacking another device. It'll just create a massive loop. :) That would be interesting. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Counter DoS
Gregory Taylor wrote: Oh yes, lets not forget the fact that if enough sites have this 'firewall' and one of them gets attacked by other sites using this firewall it'll create a nuclear fission sized chain reaction of looping Denial of Service Attacks that would probably bring most major backbone providers to their knees. Fortunately people with less clue usually have less bandwidth. Obviously there are exceptions. I would expect to see localized tragedies if something like this would get deployed but predicting death of the internet is clueless. Pete
Re: Counter DoS
On Thu, 11 Mar 2004, Petri Helenius wrote: > Gregory Taylor wrote: > > Oh yes, lets not forget the fact that if enough sites have this > > 'firewall' and one of them gets attacked by other sites using this > > firewall it'll create a nuclear fission sized chain reaction of > > looping Denial of Service Attacks that would probably bring most major > > backbone providers to their knees. > > > Fortunately people with less clue usually have less bandwidth. Obviously > there are exceptions. I would expect to see localized tragedies if > something like this would get deployed but predicting death of the > internet is clueless. Don't be so sure that people with no clue don't have bandwidth, large companies with enourmouse resources sometimes end up with really clueless people at the top and similarly clueless network techs. But reality is it does not matter. Even five years ago, DoS attacks were already usually distributed coming mostly from comprimised servers. Now thanks to Microsoft's constantly buggy software and large deployment of broadband, its so easy for script-kiddies and alike to get hold of computers to be used for such purposes (but at least our unix servers don't get hacked as much...). And I really hate this kind of script-kiddie attitude that if you stike me, I'll strike you back even harder - revenge by the same means is not the answer (and in many cases its not the revenge but they just want to show themselve off as being more daring then the last guy). But then again since in US most people support death penalty and the government itself did not care how many innocent afghans died when they were doing their own revenge, then what are we expecting from the company execs - they might well buy this crap strike-back with a vengence firewall. I do hope, that if it were to happen, it'll quickly become clear that this is totally illegal and both Simbiot and those who bought it will end up in court and bankrupt and that will establish good precidence for the future. But as I mentioned in thread last week and as Sean Donelan mentioned today too - all this looks a like like a publicity hype in the making for a probably crappy product (but not crappy in the way that it'll actually force its users to break the law). We have about 20 days to wait before its released, so lets just wait and see how bad it really is. --- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Counter DoS
On Thu, 11 Mar 2004 03:21:29 EST, Brian Bruns <[EMAIL PROTECTED]> said: > So, and who thinks that this is a good idea? :) What's the going rate per megabyte for transit traffic? :) pgp0.pgp Description: PGP signature
Re: Counter DoS
"Pendergrass, Greg" wrote: > > I can see now that it's only a matter of time before some nut writes "The > Art of War in the Internet". I read the whitepaper, it goes on a lot about > how defensive policies are ineffective but doesn't really say why active > response has never been tried: Ask, and ye shall receive. http://btobsearch.barnesandnoble.com/textbooks/booksearch/isbnInquiry.asp?userid=2XH986JPUE&btob=Y&isbn=1581128576&TXT=Y&itm=1 I thought that someone mentioned that Mr. Forno was reputed to be on staff with these folk. > Their proposition is a terrible idea and their "rules of engagement" would > be funny instead of frightening if it wasn't serious I note that he also has a title from last year, which seems applicable here: Weapons of Mass Delusion (ISBN 15896X) I will point out that I cannot take seriously a company (Symbiot) that depends on a shockwave plugin to put up a web page. Pity that they came out so aggressively; it might have been an interesting product. Hype can kill as well as sell. -- It is by caffeine alone I set my mind in motion. It is by the beans of Java that thoughts acquire speed, the hands acquire shaking, the shaking becomes a warning. It is by caffeine only I set my mind in motion.
Re: Counter DoS
In message <[EMAIL PROTECTED]>, "Joshua Brady" writes: > >http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm > >Comments? The phrase "seriously bad idea" comes to mind. Other phrases include "illegal", "collateral damage", and "stupid". --Steve Bellovin, http://www.research.att.com/~smb
Re: Counter DoS
I actually thought that this was some kind of April Fools day joke a few weeks early. Anyone who buys this should be shot on principleWait...First I have a bridge to sell them. At 05:55 PM 3/10/2004, Steven M. Bellovin wrote: In message <[EMAIL PROTECTED]>, "Joshua Brady" writes: > >http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm > >Comments? The phrase "seriously bad idea" comes to mind. Other phrases include "illegal", "collateral damage", and "stupid". --Steve Bellovin, http://www.research.att.com/~smb -tdawson [EMAIL PROTECTED]
RE: Counter DoS
I can see now that it's only a matter of time before some nut writes "The Art of War in the Internet". I read the whitepaper, it goes on a lot about how defensive policies are ineffective but doesn't really say why active response has never been tried: A. Most of the time dDOS traffic is from spoofed sources anyway so whichever machine you "return fire" on is probably not the one that attacked you. B. NAT translation means a hacker has a tailor-made defense against any active repsonse. C. Even if you can directly attack a machine being used against you it's almost certainly not the perpetrator's box, he/she is sitting half a world away. The box you intentionally destroy is likely some innocent family PC that was taken over using some unplugged windows security hole. D. Widely deployed active defense will give an attacker a new form of dDOS attack, spoof the source of the one you want to hit in attacking several "active defense" systems and watch them attack your target for you. Their proposition is a terrible idea and their "rules of engagement" would be funny instead of frightening if it wasn't serious GP -Original Message- From: Joshua Brady [mailto:[EMAIL PROTECTED] Sent: 11 March 2004 01:27 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Counter DoS http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm Comments? Vodafone Global Content Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 4064873 This e-mail is for the addressee(s) only. If you are not an addressee, you must not distribute, disclose, copy, use or rely on this e-mail or its contents, and you must immediately notify the sender and delete this e-mail and all copies from your system. Any unauthorised use may be unlawful. The information contained in this e-mail is confidential and may also be legally privileged.
Re: Counter DoS
On 10.03 20:55, Steven M. Bellovin wrote: > > The phrase "seriously bad idea" comes to mind. Other phrases include > "illegal", "collateral damage", and "stupid". Those plus "escalation of agression" and "uncontrollable feedback loop". Daniel Karrenberg PS: I will spare you the re-run of a recent discussion I had with some 5-year-olds, but there *is* a certain similarity.
RE: Counter DoS
By "The Art of War on the Internet" I didn't mean information warfare, that's been with us as long as there's been information and the internet is certainly going to be a major part of that. What I am against is anyone trying to popularize the idea of the internet as a battleground where one uses force and deception to "gain ground". It's just another case of people wrongly attempting to fit somthing that they don't understand into a framework that they do understand, thereby creating a fallacy. Trying to base a product off of a flawed idea is bound to fail but also likely be a major irritation before it does. GP -Original Message- From: Etaoin Shrdlu [mailto:[EMAIL PROTECTED] Sent: 11 March 2004 14:58 To: Nanog Subject: Re: Counter DoS "Pendergrass, Greg" wrote: > > I can see now that it's only a matter of time before some nut writes "The > Art of War in the Internet". I read the whitepaper, it goes on a lot about > how defensive policies are ineffective but doesn't really say why active > response has never been tried: Ask, and ye shall receive. http://btobsearch.barnesandnoble.com/textbooks/booksearch/isbnInquiry.asp?us erid=2XH986JPUE&btob=Y&isbn=1581128576&TXT=Y&itm=1 I thought that someone mentioned that Mr. Forno was reputed to be on staff with these folk. > Their proposition is a terrible idea and their "rules of engagement" would > be funny instead of frightening if it wasn't serious I note that he also has a title from last year, which seems applicable here: Weapons of Mass Delusion (ISBN 15896X) I will point out that I cannot take seriously a company (Symbiot) that depends on a shockwave plugin to put up a web page. Pity that they came out so aggressively; it might have been an interesting product. Hype can kill as well as sell. -- It is by caffeine alone I set my mind in motion. It is by the beans of Java that thoughts acquire speed, the hands acquire shaking, the shaking becomes a warning. It is by caffeine only I set my mind in motion. Vodafone Global Content Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 4064873 This e-mail is for the addressee(s) only. If you are not an addressee, you must not distribute, disclose, copy, use or rely on this e-mail or its contents, and you must immediately notify the sender and delete this e-mail and all copies from your system. Any unauthorised use may be unlawful. The information contained in this e-mail is confidential and may also be legally privileged.
Re: Counter DoS
> > Fortunately people with less clue usually have less bandwidth. > > Don't be so sure that people with no clue don't have bandwidth, large > companies with enourmouse resources sometimes end up with really clueless > people at the top and similarly clueless network techs. Most Universities have a large clueless.. um, I mean, student population sitting on 10 or 100 meg switched ports and several hundred meg's to the Internet Eric :)
Re: Counter DoS
Eric Gauthier wrote: Most Universities have a large clueless.. um, I mean, student population sitting on 10 or 100 meg switched ports and several hundred meg's to the Internet You mis-spelled "faculty, researcher, and staff populations". Today's students (as well as non-trivial portions of the the other populations) tend to be purpose and objective focused, with what the folks on the 19th tee being somewhat less important. -- Requiescas in pace o email
Re: Counter DoS
Mmm. A firewall that lands you immediately in hot water with your ISP and possibly in a courtroom, yourself. Hot. Legality aside... I don't imagine it would be too hard to filter these retaliatory packets, either. I expect that this would be more wad-blowing than cataclysm after the initial throes, made all the more ridiculous by the nefarious realizing the new attack mechanism created by these absurd boxen. A new point of failure and an amplifier rolled all into one! Joy! More buffoonery contributed to the miasma. Nice waste of time, Symbiot. Thanks for the pollution, and shame on the dubious ZDnet for perpetuating this garbage. ymmv, --ra -- rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. On Wed, Mar 10, 2004 at 11:25:20PM -0800, Gregory Taylor said something to the effect of: > > After reading that article, if this product really is capable of > 'counter striking DDoS attacks', my assumption is that it will fire > packets back at the nodes attacking it. Doing such an attack would not > be neither feasible or legal. You would only double the affect that the > initial attack caused to begin with, plus you would be attacking hacked > machines and not the culprit themselves, thus pouring gasoline all over > an already blazing inferno. > > This product is a bad bad idea and anyone who invests money into it > should slap themselves very hard with a metal gauntlet for being so > gullible. > > Greg > > >>>In message <[EMAIL PROTECTED]>, "Joshua Brady" > >>>writes: > >>> > >>> > http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm > > Comments? > > >>> >
Re: Counter DoS
Two words (well...one hyphenated-reference): spoofed-source bah, --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. On Wed, Mar 10, 2004 at 11:50:56PM -0800, Gregory Taylor said something to the effect of: > > Oh yes, lets not forget the fact that if enough sites have this > 'firewall' and one of them gets attacked by other sites using this > firewall it'll create a nuclear fission sized chain reaction of looping > Denial of Service Attacks that would probably bring most major backbone > providers to their knees. > > (Popcorn's in the microwave as I speak) > > Greg > > Jay Hennigan wrote: > > >On Wed, 10 Mar 2004, Gregory Taylor wrote: > > > > > > > >>After reading that article, if this product really is capable of > >>'counter striking DDoS attacks', my assumption is that it will fire > >>packets back at the nodes attacking it. Doing such an attack would not > >>be neither feasible or legal. You would only double the affect that the > >>initial attack caused to begin with, plus you would be attacking hacked > >>machines and not the culprit themselves, thus pouring gasoline all over > >>an already blazing inferno. > >> > >> > > > >On the other hand, they could become immensely popular, reaching the > >critical mass when one of them detects what is interpreted as an attack > >from a network protected by another. Grab the popcorn and watch as they > >all bludgeon each other to death. :-) > > > > > > >
Re: Counter DoS
On Thu, Mar 11, 2004 at 03:21:29AM -0500, Brian Bruns said something to the effect of: > > On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <[EMAIL PROTECTED]> > wrote: ..snip snip.. > > How the hell could a company put something like this out, and expect not to > > get themselves sued to the moon and back when it fires a shot at an innocent > > party? Caution: 'innocent' is not the buzzword here. Subscribers: check your respective AUPs. You will likely find explicit prohibition of any malicious and generally unsolicited traffic generated by a node in your control, and I don't think that self-defense has an extenuation clause or special case appendix therein. You attack an attacker, he, too, can pursue you legally. There are not provisions made for DoS-ing a DoS-er. Vigilante nonsense is discouraged. > ..snip snip..> > Whats going to happen when they find a nice little exploit in these buggers > (even if they have anti-spoof stuff in them) that allows the kids to take > control of them or trick them into attacking innocents? Instead of thousands > of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these > 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use > the current trojans? This won't even require a exploit to effect. These boxes can likely be used to do the bidding of miscreants with some simply-crafted packets and source spoofing. This thing could become something akin to a smurf amp with a big-time attitude problem. Anti-spoof rules will afford a modicum of reverse-path protection, but not enough to swat away the majority of inbound crafted traffic. This stupid PoS appliance would have to be installed and widely-deployed provider-side to discern on such a level. This would become the stuff of yet-another-botnet. > > No product is 100% secure (especially not something that runs under Windows, > but thats another issue), so how are they going to deliver updates? This is the least of their concerns; update management is already done effectively and easily by most IDS, anti-virii, and other signature-based appliance manufacturers. Snakeoil salesmen offer at the most basic a valid means of distributing updates, even. > Or make sure that the thing is configured right? Now _that_ is a real problem. Given that no one has beaten the creators with the illustrious clue stick and anyone who'd truly subscribe to this thing is likely mis-wired him/herself, I would guess that poor configuration is an engineering cornerstone on which this entire debacle desperately depends. Flog the scoundrels. ymmv, --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. > I could see blacklists (BGP based) > cropping up of these systems, so that you can filter these networks from ever > being able to come near your network. > > This is starting to sound more and more like a nuclear arms race - on one side > we have company a, on the other company b. Company A fears that B will attack > it, so they get this super dooper nuclear strike system. Company B follows > suit and sets one up as well. Both then increase their bandwidth, outdoing > the other until finally, script kiddie comes along, and spoofs a packet from A > to B, and B attacks A, and A responds with its own attack. ISPs hosting the > companies fall flat on their face from the attack, the backbone between the > two ISPs gets lagged to death, and stuff starts griding to a halt for others > caught in the crossfire. > > So, and who thinks that this is a good idea? :) > -- > Brian Bruns > The Summit Open Source Development Group > Open Solutions For A Closed World / Anti-Spam Resources > http://www.sosdg.org > > The Abusive Hosts Blocking List > http://www.ahbl.org
Re: Counter DoS
On Thu, Mar 11, 2004 at 03:21:29AM -0500, Brian Bruns said something to the effect of: > > On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <[EMAIL PROTECTED]> > wrote: ..snip snip.. > > How the hell could a company put something like this out, and expect not to > > get themselves sued to the moon and back when it fires a shot at an innocent > > party? Caution: 'innocent' is not the buzzword here. Subscribers: check your respective AUPs. You will likely find explicit prohibition of any malicious and generally unsolicited traffic generated by a node in your control, and I don't think that self-defense has an extenuation clause or special case appendix therein. You attack an attacker, he, too, can pursue you legally. There are not provisions made for DoS-ing a DoS-er. Vigilante nonsense is discouraged. > ..snip snip..> > Whats going to happen when they find a nice little exploit in these buggers > (even if they have anti-spoof stuff in them) that allows the kids to take > control of them or trick them into attacking innocents? Instead of thousands > of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these > 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use > the current trojans? This won't even require a exploit to effect. These boxes can likely be used to do the bidding of miscreants with some simply-crafted packets and source spoofing. This thing could become something akin to a smurf amp with a big-time attitude problem. Anti-spoof rules will afford a modicum of reverse-path protection, but not enough to swat away the majority of inbound crafted traffic. This stupid PoS appliance would have to be installed and widely-deployed provider-side to discern on such a level. This would become the stuff of yet-another-botnet. > > No product is 100% secure (especially not something that runs under Windows, > but thats another issue), so how are they going to deliver updates? This is the least of their concerns; update management is already done effectively and easily by most IDS, anti-virii, and other signature-based appliance manufacturers. Snakeoil salesmen offer at the most basic a valid means of distributing updates, even. > Or make sure that the thing is configured right? Now _that_ is a real problem. Given that no one has beaten the creators with the illustrious clue stick and anyone who'd truly subscribe to this thing is likely mis-wired him/herself, I would guess that poor configuration is an engineering cornerstone on which this entire debacle desperately depends. Flog the scoundrels. ymmv, --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. > I could see blacklists (BGP based) > cropping up of these systems, so that you can filter these networks from ever > being able to come near your network. > > This is starting to sound more and more like a nuclear arms race - on one side > we have company a, on the other company b. Company A fears that B will attack > it, so they get this super dooper nuclear strike system. Company B follows > suit and sets one up as well. Both then increase their bandwidth, outdoing > the other until finally, script kiddie comes along, and spoofs a packet from A > to B, and B attacks A, and A responds with its own attack. ISPs hosting the > companies fall flat on their face from the attack, the backbone between the > two ISPs gets lagged to death, and stuff starts griding to a halt for others > caught in the crossfire. > > So, and who thinks that this is a good idea? :) > -- > Brian Bruns > The Summit Open Source Development Group > Open Solutions For A Closed World / Anti-Spam Resources > http://www.sosdg.org > > The Abusive Hosts Blocking List > http://www.ahbl.org
Re: Counter DoS
Yes, lets allow the kiddies who already get away with as little work as they can in order to produce the most destruction they can, the ability to use these 'Security Systems' as a new tool for DoS attacks against their enemies. Scenerio: Lets say my name is: l33th4x0r I want to attack joeblow.cable.com because joeblow666 was upset that I called his mother various inappropriate names. I find IP for joeblow.cable.com to be 192.168.69.69 I find one of these 'security' systems, or multiple security systems, and i decide to forge a TCP attack from 192.168.69.69 to these 'security systems'. These 'security systems' then, thinking joeblow is attacking their network, will launch a retaliatory attack against the offender, 192.168.69.69 thus destroying his connectivity. Kiddie 1 Joeblow 0The Internet as a whole 0 Greg Rachael Treu wrote: Mmm. A firewall that lands you immediately in hot water with your ISP and possibly in a courtroom, yourself. Hot. Legality aside... I don't imagine it would be too hard to filter these retaliatory packets, either. I expect that this would be more wad-blowing than cataclysm after the initial throes, made all the more ridiculous by the nefarious realizing the new attack mechanism created by these absurd boxen. A new point of failure and an amplifier rolled all into one! Joy! More buffoonery contributed to the miasma. Nice waste of time, Symbiot. Thanks for the pollution, and shame on the dubious ZDnet for perpetuating this garbage. ymmv, --ra
RE: Counter DoS
-Original Message- From: Gregory Taylor [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 3:55 PM To: Rachael Treu Cc: [EMAIL PROTECTED] Subject: Re: Counter DoS Yes, lets allow the kiddies who already get away with as little work as they can in order to produce the most destruction they can, the ability to use these 'Security Systems' as a new tool for DoS attacks against their enemies. Scenerio: Lets say my name is: l33th4x0r I want to attack joeblow.cable.com because joeblow666 was upset that I called his mother various inappropriate names. I find IP for joeblow.cable.com to be 192.168.69.69 I find one of these 'security' systems, or multiple security systems, and i decide to forge a TCP attack from 192.168.69.69 to these 'security systems'. These 'security systems' then, thinking joeblow is attacking their network, will launch a retaliatory attack against the offender, 192.168.69.69 thus destroying his connectivity. Kiddie 1 Joeblow 0The Internet as a whole 0 Greg --- Rant/ Their solution isn't the best idea out there, but something definitely needs to be done, and quickly. Network providers shouldn't have to purchase 4x the amount of bandwidth that they need just in case someone hijacks a bunch of cable modems and wants to party. Perhaps their bad idea will lead to a better idea, its happened before with how many countless practices on the internet? You start with a blurry idea, then someone else takes it and makes it work. Im not saying ddosing people back is the best idea, but something needs to happen, we waste way too much time and money mitigating these attacks, when in reality they cant be mitigated unless you continue to throw cash into the bandwidth bucket. These DSL and cable modem companies need to tighten things up so that if their users are abusive (and I don't claim to know how exactly the parameters of abuse should be measured) that their systems automatically choke them. For example, I have a Cable modem /w rr at my home, they have my upstream limited to next to nothing, how much damage could I possibly do? On the other hand I've seen attacks from some residential DSL providers that have hit with over 500KB(bytes)ps from a single machine, if you have maybe 20 of these hitting one of your interfaces, its going to cause latency, unless your upstream, or their downstream is doing something to protect you, which they wont. /Rant -Drew
Re: Counter DoS
If you wanted to do that, wouldn't the firewall just need directed-broadcast left open or emulate similar behavior, or even turning ip unreachables back on? Flooding pipes accidentally is easy enough. Now people are selling products to do it deliberately. Yeesh. I saw a license plate this week (Virginia -IWTFM) I thought that was clever. Deepak Gregory Taylor wrote: Yes, lets allow the kiddies who already get away with as little work as they can in order to produce the most destruction they can, the ability to use these 'Security Systems' as a new tool for DoS attacks against their enemies. Scenerio: Lets say my name is: l33th4x0r I want to attack joeblow.cable.com because joeblow666 was upset that I called his mother various inappropriate names. I find IP for joeblow.cable.com to be 192.168.69.69 I find one of these 'security' systems, or multiple security systems, and i decide to forge a TCP attack from 192.168.69.69 to these 'security systems'. These 'security systems' then, thinking joeblow is attacking their network, will launch a retaliatory attack against the offender, 192.168.69.69 thus destroying his connectivity. Kiddie 1 Joeblow 0The Internet as a whole 0 Greg Rachael Treu wrote: Mmm. A firewall that lands you immediately in hot water with your ISP and possibly in a courtroom, yourself. Hot. Legality aside... I don't imagine it would be too hard to filter these retaliatory packets, either. I expect that this would be more wad-blowing than cataclysm after the initial throes, made all the more ridiculous by the nefarious realizing the new attack mechanism created by these absurd boxen. A new point of failure and an amplifier rolled all into one! Joy! More buffoonery contributed to the miasma. Nice waste of time, Symbiot. Thanks for the pollution, and shame on the dubious ZDnet for perpetuating this garbage. ymmv, --ra
Re: Counter DoS
On Thu, Mar 11, 2004 at 04:10:04PM -0500, Deepak Jain said something to the effect of: > > If you wanted to do that, wouldn't the firewall just need > directed-broadcast left open or emulate similar behavior, or even > turning ip unreachables back on? Exactly my point in using the word "amplifier" earlier. No special config or sploit-du-jour required. The play-by-play below is even more complicated than the process. > > Flooding pipes accidentally is easy enough. Now people are selling > products to do it deliberately. They'll be sorry. > > Yeesh. > > I saw a license plate this week (Virginia -IWTFM) I thought that was clever. Nice. :D > -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. > Deepak > > Gregory Taylor wrote: > > > > > > >Yes, lets allow the kiddies who already get away with as little work as > >they can in order to produce the most destruction they can, the ability > >to use these 'Security Systems' as a new tool for DoS attacks against > >their enemies. > > > >Scenerio: > > > >Lets say my name is: l33th4x0r > > > >I want to attack joeblow.cable.com because joeblow666 was upset that I > >called his mother various inappropriate names. > > > >I find IP for joeblow.cable.com to be 192.168.69.69 > > > >I find one of these 'security' systems, or multiple security systems, > >and i decide to forge a TCP attack from 192.168.69.69 to these 'security > >systems'. > > > >These 'security systems' then, thinking joeblow is attacking their > >network, will launch a retaliatory attack against the offender, > >192.168.69.69 thus destroying his connectivity. > > > >Kiddie 1 Joeblow 0The Internet as a whole 0 > > > > > >Greg > > > >Rachael Treu wrote: > > > >>Mmm. A firewall that lands you immediately in hot water with your > >>ISP and possibly in a courtroom, yourself. Hot. > >> > >>Legality aside... > >> > >>I don't imagine it would be too hard to filter these retaliatory > >>packets, either. I expect that this would be more wad-blowing > >>than cataclysm after the initial throes, made all the more ridiculous > >>by the nefarious realizing the new attack mechanism created by these > >>absurd boxen. A new point of failure and an amplifier rolled all > >>into one! Joy! > >> > >>More buffoonery contributed to the miasma. Nice waste of time, > >>Symbiot. Thanks for the pollution, and shame on the dubious ZDnet > >>for perpetuating this garbage. > >> > >>ymmv, > >>--ra > >> > >> > >> > > > > > > > >
Re: Counter DoS
Drew, While I believe something should be done, the fact is that two wrongs do not make a right. If I hit you, is it ok for you to hit me right back? This kind of retaliation takes the internet community into a grade school playground fight. What needs to be done, although easier said than done, is the following. Companies producing software with serious security issues need to address those issues alot faster and more efficiently. (i.e. Microsoft shouldn't push their OS's out the door until their code is audited and tested thouroughly.) If medicine had the same practices as alot of these software companies, there'd be a whole bunch of dead people out there. The Federal agencies who deal with computer crimes need to step up and start putting people behind bars, for a loong time. Kiddies get away with DDoS attacks because they know they can. If even half of the kiddies were to get thrown into prison for their acts, it'd definately deter the other half. Maybe that wont stop the problem, but it would definately reduce it overall. Networks that allow random host spoofing (or bogon headers) need to program their routers and border routers to filter or re-set the headers of TCP traffic outgoing and incoming to the correct source. This way a DDoS kiddie can only spoof at most, the subnet, thus leaving his DDoS net open to investigation and tracing. Networks that knowingly house and harbor DDoS kiddies should take a pro-active role in turning them in, or kicking them off their networks. Just because they aren't launching attacks from your network doesn't mean they aren't coordinating the attacks from it. Those networks that house DDoS networks need to maintain closer surveilance of their systems and customers and shut down any systems or networks hosting known DDoS nets. Denial of Service is probably never going to go away, but while DDoS attacks are so easy to commit, the problem is only going to get worse until appropriate steps are taken to reduce the problem overall. Greg Drew Weaver wrote: -Original Message- From: Gregory Taylor [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 3:55 PM To: Rachael Treu Cc: [EMAIL PROTECTED] Subject: Re: Counter DoS Yes, lets allow the kiddies who already get away with as little work as they can in order to produce the most destruction they can, the ability to use these 'Security Systems' as a new tool for DoS attacks against their enemies. Scenerio: Lets say my name is: l33th4x0r I want to attack joeblow.cable.com because joeblow666 was upset that I called his mother various inappropriate names. I find IP for joeblow.cable.com to be 192.168.69.69 I find one of these 'security' systems, or multiple security systems, and i decide to forge a TCP attack from 192.168.69.69 to these 'security systems'. These 'security systems' then, thinking joeblow is attacking their network, will launch a retaliatory attack against the offender, 192.168.69.69 thus destroying his connectivity. Kiddie 1 Joeblow 0The Internet as a whole 0 Greg --- Rant/ Their solution isn't the best idea out there, but something definitely needs to be done, and quickly. Network providers shouldn't have to purchase 4x the amount of bandwidth that they need just in case someone hijacks a bunch of cable modems and wants to party. Perhaps their bad idea will lead to a better idea, its happened before with how many countless practices on the internet? You start with a blurry idea, then someone else takes it and makes it work. Im not saying ddosing people back is the best idea, but something needs to happen, we waste way too much time and money mitigating these attacks, when in reality they cant be mitigated unless you continue to throw cash into the bandwidth bucket. These DSL and cable modem companies need to tighten things up so that if their users are abusive (and I don't claim to know how exactly the parameters of abuse should be measured) that their systems automatically choke them. For example, I have a Cable modem /w rr at my home, they have my upstream limited to next to nothing, how much damage could I possibly do? On the other hand I've seen attacks from some residential DSL providers that have hit with over 500KB(bytes)ps from a single machine, if you have maybe 20 of these hitting one of your interfaces, its going to cause latency, unless your upstream, or their downstream is doing something to protect you, which they wont. /Rant -Drew
Re: Counter DoS
Deepak Jain wrote: If you wanted to do that, wouldn't the firewall just need directed-broadcast left open or emulate similar behavior, or even turning ip unreachables back on? Flooding pipes accidentally is easy enough. Now people are selling products to do it deliberately. Maybe there is a lesson to be learned from many RBL operators. To make sure, just send packets to the whole /24 or /16 you got an "attack" packet from. Pete
Re: Counter DoS
Petri Helenius wrote: Maybe there is a lesson to be learned from many RBL operators. To make sure, just send packets to the whole /24 or /16 you got an "attack" packet from. Which RBL operators flood /24's or /16's? What do they flood them with? -- Requiescas in pace o email
Re: Counter DoS
On Thu, 11 Mar 2004, Laurence F. Sheldon, Jr. wrote: > Petri Helenius wrote: > > > Maybe there is a lesson to be learned from many RBL operators. To make > > sure, just send packets to the whole /24 or /16 you got an "attack" > > packet from. > > Which RBL operators flood /24's or /16's? What do they flood them > with? I think he meant that RBLs sometimes include entire /24 in RBL list when only one or two ips are at fault and some would go even highier to include entire ISP allocation. This is probably talking about SPEWs and alike RBLs -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Counter DoS
william(at)elan.net wrote: On Thu, 11 Mar 2004, Laurence F. Sheldon, Jr. wrote: Petri Helenius wrote: Maybe there is a lesson to be learned from many RBL operators. To make sure, just send packets to the whole /24 or /16 you got an "attack" packet from. Which RBL operators flood /24's or /16's? What do they flood them with? I think he meant that RBLs sometimes include entire /24 in RBL list when only one or two ips are at fault and some would go even highier to include entire ISP allocation. This is probably talking about SPEWs and alike RBLs I thought "RBL" was a tademark of Abovenet or MAPS or somebody. -- Requiescas in pace o email
Re: Counter DoS
On Thursday, March 11, 2004 6:16 PM [EST], william(at)elan.net <[EMAIL PROTECTED]> wrote: >> >> Which RBL operators flood /24's or /16's? What do they flood them >> with? > > I think he meant that RBLs sometimes include entire /24 in RBL list when > only one or two ips are at fault and some would go even highier to include > entire ISP allocation. This is probably talking about SPEWs and alike RBLs That usually only happens when providers ignore abuse reports and don't do something about their abusive customers. Thats how we do it at the AHBL - you ignore abuse reports for long enough and pretend like the problem doesn't exist, you get a /24 listed. You move the spammer to another block, inside your network, and it grows to encompass the new block as well as the old one. And it keeps going from there. Thats how the rima-tde blocks that are in the AHBL got started - single /32s, then as the spam and 419 scams came in faster, it expanded to /24s, and finally after 2 dozen or so /24s blocked, I started going for /20s and larger. Now I've got two /13s, and a /16 of theirs blocked until Telefonica decides to contact us and discuss the situation with the abuse coming from their network. When providers dont act on abuse, you have to put the pressure on. Sometimes, that means forcing their legit customers to start to complain and thow a fit with their provider over the blocks. Yes, its ugly and unfair, but thats the only way to get them to act. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
RE: Counter DoS
One aspect of the problem with DoS attacks and warlike responses to these attacks is that the younger generation is getting their computer science training via gaming and hacking. Many high schools in the U.S. are so financially strapped that they can't afford to teach programming, networking, etc., and if they can, the teachers are often also the shop teacher or the journalism teacher who happened to "be good with computers" but is actually rather clueless about real computer science issues and the computer industry. Tekkie high school students aren't being challenged. They are learning their computing skills without mentors. We can help with that aspect of the problem. Get involved with your local high schools. Sponsor user groups at the high school. Offer to teach some mini courses. The teenage crowd needs our help learning best practices and ethics. The hacking problem is multi-faceted, of course, and this is just one facet of a partial solution, but still, do consider it. Thanks for listening. :-) Priscilla Oppenheimer At 04:48 PM 3/11/04, Pendergrass, Greg wrote: By "The Art of War on the Internet" I didn't mean information warfare, that's been with us as long as there's been information and the internet is certainly going to be a major part of that. What I am against is anyone trying to popularize the idea of the internet as a battleground where one uses force and deception to "gain ground". It's just another case of people wrongly attempting to fit somthing that they don't understand into a framework that they do understand, thereby creating a fallacy. Trying to base a product off of a flawed idea is bound to fail but also likely be a major irritation before it does. GP -Original Message- From: Etaoin Shrdlu [mailto:[EMAIL PROTECTED] Sent: 11 March 2004 14:58 To: Nanog Subject: Re: Counter DoS "Pendergrass, Greg" wrote: > > I can see now that it's only a matter of time before some nut writes "The > Art of War in the Internet". I read the whitepaper, it goes on a lot about > how defensive policies are ineffective but doesn't really say why active > response has never been tried: Ask, and ye shall receive. http://btobsearch.barnesandnoble.com/textbooks/booksearch/isbnInquiry.asp?us erid=2XH986JPUE&btob=Y&isbn=1581128576&TXT=Y&itm=1 I thought that someone mentioned that Mr. Forno was reputed to be on staff with these folk. > Their proposition is a terrible idea and their "rules of engagement" would > be funny instead of frightening if it wasn't serious I note that he also has a title from last year, which seems applicable here: Weapons of Mass Delusion (ISBN 15896X) I will point out that I cannot take seriously a company (Symbiot) that depends on a shockwave plugin to put up a web page. Pity that they came out so aggressively; it might have been an interesting product. Hype can kill as well as sell. -- It is by caffeine alone I set my mind in motion. It is by the beans of Java that thoughts acquire speed, the hands acquire shaking, the shaking becomes a warning. It is by caffeine only I set my mind in motion. Vodafone Global Content Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 4064873 This e-mail is for the addressee(s) only. If you are not an addressee, you must not distribute, disclose, copy, use or rely on this e-mail or its contents, and you must immediately notify the sender and delete this e-mail and all copies from your system. Any unauthorised use may be unlawful. The information contained in this e-mail is confidential and may also be legally privileged. ___ Priscilla Oppenheimer www.priscilla.com When your Daemon is in charge, do not try to think consciously. Drift, wait, and obey. -- Kipling.
Re: Counter DoS
Get involved with your local high schools. Sponsor user groups at the high school. Offer to teach some mini courses. The teenage crowd needs our help learning best practices and ethics. The hacking problem is multi-faceted, of course, and this is just one facet of a partial solution, but still, do consider it. Thanks for listening. :-) Priscilla Oppenheimer Is this a new way to recruit low-cost entry level employees, for cheap remote hands service? Everybody needs a high school student in their cage at $9/hour... :-)
Re: Counter DoS
VA> Date: Thu, 11 Mar 2004 08:12:04 -0500 VA> From: Vinny Abello VA> Plus imagine an attack originates behind one of these devices VA> for some reason attacking another device. It'll just create a VA> massive loop. :) That would be interesting. I wonder if it pays attention to the "evil bit"? ;) Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Counter DoS
> Fortunately people with less clue usually have less bandwidth. Obviously > there are exceptions. I would expect to see localized tragedies if > something like this would get deployed but predicting death of the > internet is clueless. Hmm thats little comfort if your sharing your cable modem PVC with one of these bozos who goes and maxes out your shared 512k. See thats the thing with DoS attacks, they cause problems for everyone not just the target, from the users sharing with the source host(s) right thro the ISPs carrying the traffic wondering why their usually quiet FE port just went 100% or why their Cisco7200 has 100% CPU and dropped all its BGP and onto the users sharing with the destination who now dont have any bandwidth available. Steve
Re: Counter DoS
On Thu, 11 Mar 2004, Petri Helenius wrote: > > Gregory Taylor wrote: > > > > > Oh yes, lets not forget the fact that if enough sites have this > > 'firewall' and one of them gets attacked by other sites using this > > firewall it'll create a nuclear fission sized chain reaction of > > looping Denial of Service Attacks that would probably bring most major > > backbone providers to their knees. > > > Fortunately people with less clue usually have less bandwidth. When pricing structures and deployment of broadband in the US approaches that of Korea and Japan, I think you'll find that that isn't the case in the US anymore. > Obviously > there are exceptions. I would expect to see localized tragedies if > something like this would get deployed but predicting death of the > internet is clueless. > > Pete > > >> > > > > > -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: Counter DoS
Joel Jaeggli wrote: > On Thu, 11 Mar 2004, Petri Helenius wrote: > >> >> Gregory Taylor wrote: >> >>> >>> Oh yes, lets not forget the fact that if enough sites have this >>> 'firewall' and one of them gets attacked by other sites using this >>> firewall it'll create a nuclear fission sized chain reaction of >>> looping Denial of Service Attacks that would probably bring most >>> major backbone providers to their knees. >>> >> Fortunately people with less clue usually have less bandwidth. > > When pricing structures and deployment of broadband in the US > approaches that of Korea and Japan, I think you'll find that that > isn't the case in the US anymore. Out of interest, do the people see much in the way of DDOS attacks from Japan? All that bandwidth and quite a sizable population (130 million) - but maybe the latency to US and European targets contrains it? Sam
Re: Counter DoS
Sam Stickland wrote: Out of interest, do the people see much in the way of DDOS attacks from Japan? All that bandwidth and quite a sizable population (130 million) - but maybe the latency to US and European targets contrains it? Most attacks are unidirectional so the latency does not matter. Pete
Re: Counter DoS
Joel Jaeggli wrote: When pricing structures and deployment of broadband in the US approaches that of Korea and Japan, I think you'll find that that isn't the case in the US anymore. If you have two items, travelling at different speeds and the one ahead goes faster, they never approach each other but the distance grows. Both go forward though. So I fail to see the problem. Most US broadband or semi-broadband users are on infrastructure which cannot be reasonably upgraded to the bandwidth offered in South Korea without forklift upgrades and digging up the streets. With the amount of clue present, it´s unlikely that the upstream bandwidth in US or most of Europe will grow substantially over the next five years. Pete
Re: Counter DoS
On Sun, 14 Mar 2004, Petri Helenius wrote: > With the amount of clue present, it´s unlikely that the upstream bandwidth in > US or most of Europe will grow substantially over the next five years. Heh, thats the kind of quote that comes back to haunt you 5 years down the line :) Steve
Re: Counter DoS
Leaving directed-bcast open would accomplish this on these devices, as well as many others. A bigger problem here is that these irresponsible network polyps would offer an icmp-independent amplifier. They essentially open smurf amplification to any other protocol. Whereas a network might clobber icmp at its border(s), a tcp or udp attack on a "friendly" port would elicit the same effect as the ping-of-death of old, and be permitted traversal of the traditional front lines of defense. Contrbuting to firewalking and general network recon, the bane of icmp is in its inherent behavior. It is designed to remit success and failure messages disclosing path and node details. This is its sole function, and is therefore non-negotiable and suspect and frequently dropped or monitored by edge devices. tcp and udp, on the other hand, are now being twisted to behave the same way when encountered by these stupid vigilante firewalls: send a (malicious) stream of data, invoke an equal and opposite stream of (malicious) data. The creepy innovators of this nonsense appliance just used the application layer to defile the fundamental nature of ubiquitous protocols. Think about how we generally react when it appears that M$ has done that. Just give the whole bloody Internet a big red button, and train users' crosshairs on the first thing that moves. I'll cheerlead outside the court proceedings when this obnoxious vendor sees its first lawsuit or dissolution hearing. No carrier would allow this on its network, anyway. --ra On Thu, Mar 11, 2004 at 04:10:04PM -0500, Deepak Jain said something to the effect of: > > > If you wanted to do that, wouldn't the firewall just need > directed-broadcast left open or emulate similar behavior, or even > turning ip unreachables back on? > > Flooding pipes accidentally is easy enough. Now people are selling > products to do it deliberately. > > Yeesh. > > I saw a license plate this week (Virginia -IWTFM) I thought that was clever. > > Deepak > > Gregory Taylor wrote: > > > > > > >Yes, lets allow the kiddies who already get away with as little work as > >they can in order to produce the most destruction they can, the ability > >to use these 'Security Systems' as a new tool for DoS attacks against > >their enemies. > > > >Scenerio: > > > >Lets say my name is: l33th4x0r > > > >I want to attack joeblow.cable.com because joeblow666 was upset that I > >called his mother various inappropriate names. > > > >I find IP for joeblow.cable.com to be 192.168.69.69 > > > >I find one of these 'security' systems, or multiple security systems, > >and i decide to forge a TCP attack from 192.168.69.69 to these 'security > >systems'. > > > >These 'security systems' then, thinking joeblow is attacking their > >network, will launch a retaliatory attack against the offender, > >192.168.69.69 thus destroying his connectivity. > > > >Kiddie 1 Joeblow 0The Internet as a whole 0 > > > > > >Greg > > > >Rachael Treu wrote: > > > >>Mmm. A firewall that lands you immediately in hot water with your > >>ISP and possibly in a courtroom, yourself. Hot. > >> > >>Legality aside... > >> > >>I don't imagine it would be too hard to filter these retaliatory > >>packets, either. I expect that this would be more wad-blowing > >>than cataclysm after the initial throes, made all the more ridiculous > >>by the nefarious realizing the new attack mechanism created by these > >>absurd boxen. A new point of failure and an amplifier rolled all > >>into one! Joy! > >> > >>More buffoonery contributed to the miasma. Nice waste of time, > >>Symbiot. Thanks for the pollution, and shame on the dubious ZDnet > >>for perpetuating this garbage. > >> > >>ymmv, > >>--ra > >> > >> > >> > > > > > > > > -- rachael treu [EMAIL PROTECTED] ..quis costodiet ipsos custodes?..
New Solution: (was: Re: Counter DoS)
Here is a solution I would like to propose -- it is not as set-and-forget as network operators like, but we do know that some of our customers have a lot of expertise with this stuff, and taking advantage of that value helps. This is along the categories of collateral damage, scorched earth and generally punitive action for DDOS-compromised hosts. Because not everyone will read every line, I am going to say this twice. IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM. This will be backfire if its used for Spam blackholes, it will really only have an affect in the narrower DDOS space. Along with the idea of blackhole communities. I do NOT recommend it be turned on across-the-board for every customer, and once it has reached penetration, say 20-30% of the internet backbones use this feature -- it should be phased back and only be an ICB item. (called Planned Obl.) Just like the blackhole community routes, certain /32's (only, nothing shorter) can be exported from the customer to the backbone to be blackholed at the edges. The twist, is that instead of limited the customer announcement to the customer's IPs, you force only /32s to be announced for the blackhole prefixes and limit the total number of prefixes. Say 100 (or 10, or 1000 depends how much trust you have) So say, joe-customer has identified his top 50 DDOS sources, he announces them to you, voila, DDOS gone. (even for spoofed traffic, depending on how your filters are set up) Obviously these would be no-export routes so no peer need be worried. The theory - It creates an actual, measured response to customer machines being vulnerable. It makes parts ( ideally large parts ) of the internet unavailable to those with vulnerable computers. The bad side - People could black hole important sites, until the ALL-CAPS rule is applied. The somewhat less bad, bad side - Most of these /32s wouldn't be removed until cable provider called the blackholing provider. The reality is that these filters are probably created today by backbone security folks, so the question is how fast you want the injections/rejections. IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM. Comments? Deepak
Re: New Solution: (was: Re: Counter DoS)
On Thu, Mar 11, 2004 at 05:17:35PM -0500, Deepak Jain wrote: > > Just like the blackhole community routes, certain /32's (only, nothing > shorter) can be exported from the customer to the backbone to be > blackholed at the edges. The twist, is that instead of limited the > customer announcement to the customer's IPs, you force only /32s to be > announced for the blackhole prefixes and limit the total number of > prefixes. Say 100 (or 10, or 1000 depends how much trust you have) > > So say, joe-customer has identified his top 50 DDOS sources, he > announces them to you, voila, DDOS gone. (even for spoofed traffic, > depending on how your filters are set up) Obviously these would be > no-export routes so no peer need be worried. 1. Why is BGP the right tool for this? 2. Is your idea to block only packets destined for the customer making the request, or to 0/0? -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
Re: New Solution: (was: Re: Counter DoS)
the thing is though, by allowing any /32's... what prevents /all/ customers from abusing it by curiosity of what would happen? :) the fact that you are allowing any /32's (up to 100 or whatever max prefix lim. you set) is like giving a can of worms to your customers. i don't think its even worth the effort to bother when you have more than couple customers abusing it security for one, SLA for the other, thirdly i just don't trust customers injecting routes into my backbone w/o telling us. i don't think bgp or a routing protocol is the right way to solve infected-machines participating in ddos nets. -J On Thu, Mar 11, 2004 at 05:17:35PM -0500, Deepak Jain wrote: > > > Here is a solution I would like to propose -- it is not as > set-and-forget as network operators like, but we do know that some of > our customers have a lot of expertise with this stuff, and taking > advantage of that value helps. This is along the categories of > collateral damage, scorched earth and generally punitive action for > DDOS-compromised hosts. Because not everyone will read every line, I am > going to say this twice. IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT > AWAY FROM THEM. This will be backfire if its used for Spam blackholes, > it will really only have an affect in the narrower DDOS space. > > Along with the idea of blackhole communities. I do NOT recommend it be > turned on across-the-board for every customer, and once it has reached > penetration, say 20-30% of the internet backbones use this feature -- it > should be phased back and only be an ICB item. (called Planned Obl.) > > Just like the blackhole community routes, certain /32's (only, nothing > shorter) can be exported from the customer to the backbone to be > blackholed at the edges. The twist, is that instead of limited the > customer announcement to the customer's IPs, you force only /32s to be > announced for the blackhole prefixes and limit the total number of > prefixes. Say 100 (or 10, or 1000 depends how much trust you have) > > So say, joe-customer has identified his top 50 DDOS sources, he > announces them to you, voila, DDOS gone. (even for spoofed traffic, > depending on how your filters are set up) Obviously these would be > no-export routes so no peer need be worried. > > The theory - It creates an actual, measured response to customer > machines being vulnerable. It makes parts ( ideally large parts ) of the > internet unavailable to those with vulnerable computers. > > The bad side - People could black hole important sites, until the > ALL-CAPS rule is applied. > > The somewhat less bad, bad side - Most of these /32s wouldn't be removed > until cable provider called the blackholing provider. > > The reality is that these filters are probably created today by backbone > security folks, so the question is how fast you want the > injections/rejections. > > IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM. > > Comments? > > Deepak -- James JunTowardEX Technologies, Inc. Technical LeadNetwork Design, Consulting, IT Outsourcing [EMAIL PROTECTED] Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
