Arbor Networks DoS defense product

If they can take out your legitimate peers by spoofing end to end TCP
connections, then you have got some really enormous problems that need to
be addressed.

I don't think spoofing will be a problem for the landmines. Most attacks
(99%?) are tcp.

-Dan

Hi, Dan.

] I don't think spoofing will be a problem for the landmines. Most attacks
] (99%?) are tcp.

Hmm... Not based on my research. The most common attack capabilities in
the bots are ICMP and UDP flooders. After that, IGMP. Last, TCP. Most
of the DoS tools contain the same attack types as the bots.

On the receiving end, upwards of 80% of all the woe I track is not TCP.

Thanks,
Rob.

You miss the point of this:

We are not landmining for DOSing.

We are landmining to make it very dangerous for attackers to scan networks
and probe hosts.

-Dan

Are you now operating under the premise that scans != anything but the
prelude to an attack? Sorry if I missed it earlier in the thread, but
I would hate to think any legitimate scanning of a network or host
would result in a false positive. Even more, I would hate to see the
advocation of a hostile reaction to what, so far, is not considered a
crime.

PJ

It would take more than a single landmine hit to get blackholed. Like, duh.

Enough hits on a wide sensor net prove bad intentions, as proven by dshield.

I'm suprised at the extremely shallow level of arguments so far against
landmines.

Well, I guess I shouldnt be suprised -- this *IS* nanog, after all... :stuck_out_tongue:

-Dan

crime, or art? :wink:

  http://www.nytimes.com/2002/05/13/arts/design/13ARTS.html

-d.

So you can think of a perfectly legitimate reason to scan someone else's
netblocks on specific TCP ports?

-c

> > We are not landmining for DOSing.
> > We are landmining to make it very dangerous for attackers to scan networks
> > and probe hosts.
> Are you now operating under the premise that scans != anything but the
> prelude to an attack? Sorry if I missed it earlier in the thread, but
> I would hate to think any legitimate scanning of a network or host
> would result in a false positive. Even more, I would hate to see the
> advocation of a hostile reaction to what, so far, is not considered a
> crime.

It would take more than a single landmine hit to get blackholed. Like, duh.

Forgive me for daring to ask a question. How many imply bad intent in
general practice? 4? 5? 10? Any time limitations? I am sure they
are, but I am just curious. Would the paranoid timing setting in nmap
trigger it?

Enough hits on a wide sensor net prove bad intentions, as proven by dshield.

"Prove?" What exactly is enough hits? Is it dependant on the size of
the network? Again, what about the timing factor? All that will
happen is anyone with hostile intent will start breaking up networks
into smaller chunks to be scanned from different hosts. I don't see
it solving the so-called problem of scanning.

I'm suprised at the extremely shallow level of arguments so far against
landmines.

I am surpised at the extremely shallow level of thinking that seeks to
shift the burden of security maintenace off of the shoulders of those
who should be responsible. Would you block just a host or a network?
What about dynamic ips? It doesn't take much bandwidth to probe.
Blackhole enough of the net and you effectively serve the purpose of
DOSing yourself.

PJ

Feel free to go portscan some US military and federal interest networks,
then. If it's not a crime, you shouldnt have any problems scanning them.

-Dan

> Even more, I would hate to see the advocation of a hostile reaction to
> what, so far, is not considered a crime.

I agree. Scanning is no crime. But blocking isn't a crime either.

Sorry for not including nanog in the reply. What about MAPS? They
routinely scan netblocks without consent. Does this tool
differenciate between local and non-local scanning? Scanning is

The tool in question may not even exist yet. There is no preset
definition of how it has to work. Perhaps it can be evolved enough
to where it only triggers when an exploit is attempted, rather
than just on a TCP connection.

still not a crime and it will still do nothing to deter anyone with
hostile intentions. This is just a bandaid to avoid taking proper
security precautions.

I can take all the proper security precautions and it doesn't stop
third party network A from being exploited and later used to attack
me. The point of this is that it will help identify a specific host
which is scanning many blocks belonging to many different networks.
If they hit several landmines in my network, I might be concerned.
If they hit landmines in my network and 6 others to which I have no
affiliation, the net as a whole might want to know about it.

I don't think anyone said this was intended to take the place of
security on their own networks. But I don't see how that aspect
makes this a bad tool on its own either way.

-c

If it's a crime, someone should have no problem citing the code. If
it's not a crime, than I am guilty of nothing and should have nothing
to fear. Of course, in the present political climate, that's
probably not the case, but it doesn't make it right. However, there
is legal precident that port scanning is not illegal. There are
always going to be people who are going to probe and poke, as long as
there is no direct harm, who cares? Sorry, the days of people sitting
in nice straight lines, only doing what you want them to do and only
going where you want them to go are not yet upon us.

http://online.securityfocus.com/news/126

PJ

Agreed. But this blocking still will do no good. My previous
questions still stand. What about timing? What about breaking up
segements of the network to be scanned by different hosts? How many
hits on the linemines constitute blocking? Are you blocking hosts or
networks? Either way, what about dynamic ips? What about scans done
from different networks other than that which the supposed attacker is
originating from. Universitys, unsecured wireless lans, etc.

PJ

> Sorry for not including nanog in the reply. What about MAPS? They
> routinely scan netblocks without consent. Does this tool
> differenciate between local and non-local scanning? Scanning is

The tool in question may not even exist yet. There is no preset
definition of how it has to work. Perhaps it can be evolved enough
to where it only triggers when an exploit is attempted, rather
than just on a TCP connection.

Granted. However, if it's not yet in existance, these are good
questions to be asked now instead of later, no? I would feel much
better about it if it was triggered by an exploit, instead of a
connection.

> still not a crime and it will still do nothing to deter anyone with
> hostile intentions. This is just a bandaid to avoid taking proper
> security precautions.

I can take all the proper security precautions and it doesn't stop
third party network A from being exploited and later used to attack
me. The point of this is that it will help identify a specific host
which is scanning many blocks belonging to many different networks.
If they hit several landmines in my network, I might be concerned.
If they hit landmines in my network and 6 others to which I have no
affiliation, the net as a whole might want to know about it.

Granted. However, the suggestion to place said host/network into some
sort of BGP black hole, has it's problems. The community has a whole
already has an idea of which networks have an greater precentage of
attacks originating from it, an alert is fine, a pre-emptive strike in
the absence of an actual attack is not.

I don't think anyone said this was intended to take the place of
security on their own networks. But I don't see how that aspect
makes this a bad tool on its own either way.

Yes, that was perhaps an implication made on my part. However, there
are still concerns with the idea that have yet to be addressed.

PJ

Granted. However, the suggestion to place said host/network into some
sort of BGP black hole, has it's problems. The community has a whole

Keep in mind that this would be a subscription service. It's not as
though the route would be announced to the entire net. If you're not
comfortable with it, don't use it on your network (or change upstreams,
if they're using it).

already has an idea of which networks have an greater precentage of
attacks originating from it, an alert is fine, a pre-emptive strike in
the absence of an actual attack is not.

It's not permanent. There clearly would need to be some means of
human intervention by which an entry can be removed. At worst, a
compromised host is blackholed which will get someone's attention.
At best, it is prevented from contributing to attacks.

-c

Date: Wed, 15 May 2002 18:13:07 -0700
From: Clayton Fiske

There is no preset definition of how it has to work. Perhaps
it can be evolved enough to where it only triggers when an
exploit is attempted, rather than just on a TCP connection.

Sounds sorta like the SMTP *BL debate with a new spin. Data
exist; how one uses them is a matter of preference.

IMHO, landmines would be a very handy way to get a "big picture"
view. What threshold triggers what activity is up to the user.

I could quickly write a script to find origin ASN of anyone who
pings <machine x>, find all prefixes with that origin ASN, and
blackhole them. And it would be a pretty stupid manuever, so I
hopefully would know better.

I don't see how landmines are any different... one needn't use
the feed in a predetermined manner. I think there are more than
a few people who can bang out code, or who know those who can,
hanging out on here.

What about timing? What about breaking up
segements of the network to be scanned by different hosts?

Its realy a matter of getting a sizable 'line mine net' up. With
dshield, I hope to ultimately have a couple in each AS, probably with
some local
aggregation.

The trick is that you use other people's line mines. It doesn't help you
to use your own. Scan & exploit often come in one package so by the time
you figure out you are scanned, you probably already lost a few hosts.
The trick with distributed (or 'collaborative' as I think it is better
called) intrusion detection is that whoever gets scanned first tells
everyone else.

Also: This has to be automated. Because whoever gets hit first is
probably too busy cleaning up to worry about posting all the gorry
details on this or any other list.

How many
hits on the linemines constitute blocking? Are you blocking hosts or
networks?

up to you... Setting too much of a policy would make the system
predictable and vulnerable. (attacker knows: only scan 99 hosts from
each zombie...)

Either way, what about dynamic ips?

blocking a network will take care of them. Other than that: for a
DSL/cable line the IP will not change much, and for a dialup line they
would have to hangup&dial a lot to get a good IP distribution.

What about scans done
from different networks other than that which the supposed attacker is
originating from.

Well, then these networks are marked as "attackers", which is ok. The
can clean up their systems and enjoy full access again.

Its Universitys, unsecured wireless lans, etc.

same thing: if you run an unsecured wireless network, maybe you
shouldn't have given it access to the net in the first place.

If it's a crime, someone should have no problem citing the code. If
it's not a crime, than I am guilty of nothing and should have nothing
to fear.

Do let us know how your portscans of US military networks goes...

There are always going to be people who are going to probe and poke

Are you one of them?

-Dan

Yes. Part of such blackholing would be hoped to have a "behaviour
modification" effect the same way that RBL does.

Many NOCs/admins are too apathetic/lazy/incompetent/toothless to do
anything about shutting down compromised boxes/script kiddies. Blackholing
them from the net would provide motivation. And some protection against
those attackers.

When management can no longer download their pr0n you can damn well bet
they will "want it fixed NOW" and will give whatever authorization
required to do it.

Well, you get the point. :stuck_out_tongue:

It's not intended to be perfect.

It's intended to make life more difficult for attackers, and to reduce
impact of attacks at least a little bit. And motivate lazy networks to fix
their broken shit.

-Dan

[snip]
[briareos@otherlands.net]

> > > Even more, I would hate to see the advocation of a hostile reaction to
> > > what, so far, is not considered a crime.
>
> I agree. Scanning is no crime. But blocking isn't a crime either.

Agreed. But this blocking still will do no good. My previous
questions still stand. What about timing? What about breaking up
segements of the network to be scanned by different hosts? How many
hits on the linemines constitute blocking? Are you blocking hosts or
networks? Either way, what about dynamic ips? What about scans done
from different networks other than that which the supposed attacker is
originating from. Universitys, unsecured wireless lans, etc.

So because we can't implement a perfect solution, let's do nothing at all
about the problem?