DDoS attacks

   For the last few days, I have experienced a series of DDoS attacks
on various targets around the globe. The general target is the EFNet
irc network, and servers have been attacked all through Europe, USA,
Canada, Israel, and such.

Wow, EFNet is being attacked? That's never happened before. Someone should
alert the media.

   Due to the various attacks, more than half of the servers on the
network were black holed (null routed). The others which hold 1/3 of
the client count, are attacked, or going to be attacked soon.

Perhaps because there are only 5 servers which actually accept clients?

   If this keeps on going, this irc network will cease to exist.

Oh the humanity.

   In this time of need, it would be a great help if the large
carriers would be helpful in tracing the traffic.

Hrm you may have an idea there. Since so many attacks are related to
EFNet, and there are so many possible reasons for it to be impacting the
rest of the internet, I propose we introduce a new ICMP type, ICMP EFNet.
This message type could be used to convey all kinds of important
information about why things are broken, for example:

ICMP EFNet code 1 - Smurfing
ICMP EFNet code 2 - SYN Flooding
ICMP EFNet code 3 - Channel takeover
ICMP EFNet code 4 - Warring botnets
ICMP EFNet code 5 - Dianora

and many other useful messages.

Wow Richard, I can't believe how incredibly helpful you are. You deserve an
award or something.

I mean really! Talk about going above and beyond the call of duty, wow!

How do I nominate you for sainthood for all the major religions?

On Wed, Jul 11, 2001 at 07:40:45PM -0400, Richard A. Steenbergen exclaimed:

Hrm you may have an idea there. Since so many attacks are related to
EFNet, and there are so many possible reasons for it to be impacting the
rest of the internet, I propose we introduce a new ICMP type, ICMP EFNet.
This message type could be used to convey all kinds of important
information about why things are broken, for example:

ICMP EFNet code 1 - Smurfing
ICMP EFNet code 2 - SYN Flooding
ICMP EFNet code 3 - Channel takeover
ICMP EFNet code 4 - Warring botnets
ICMP EFNet code 5 - Dianora

and many other useful messages.

regardless of one's opinion on the usefulness/validity/point of IRC, I think
some respect is due EFnet simply considering the antiquity of the network, and
the sheer volume of communication, good bad and indifferent, that has flowed
over it since its inception. I'm sure I'll be flamed for my (mis)use of
'antiquity', but I think IRC has been, and continues to be, a valuable
communication tool. Like any useful tool, it tends to be used for both
beneficial and nefarious purposes.

And let's not forget that any network attack, regardless of the target or
purpose, is a Bad Thing and responsible netizens should do their part to help
eliminate such abuses.

I'm done preaching now; I'm sure those who agree with me didn't need a rehash,
and those that don't are unlikely to change their minds. Just wanted to
provide a counterpoint to the "since $service has no business function and
doesn't increase profits, there's no point in supporting it" crowd.

(not that RAS is necessarily in that crowd; he just happened to be the first
to respond.)

Sometimes things are worth doing, even if doing them causes you some grief. I'm
sure cynicism will eventually overwhelm me and I will realize that there's no
point in sticking one's neck/network out to provide a useful service to the
community.

okay, I'm ready for the flames now.

This is pathetic. Someone asks for help and you demean them with jokes.

Logic? Network Operators provide the ammo, Operating systems the guy, and script kiddies the finger.

Ebay, Etrade, Yahoo, etc all got SMOKED by some unknown attacker and I've yet to see a good fix that stops this kind of attacking. Why, because right now there isn't one. What do the powerless do? They resort to poking fun, illogical behavior. I think you might do better discussing, testing, planning how to prevent this type of thing on your own network. However, I'm concluding from the type of behavior displayed that most of you manage nothing larger than a couple T-1s.

There is no solution to this problem. This guy asking for help provided a perfect case where you could have learned something, asked questions and generally ACT AS YOU WOULD LIKE TO BE TREATED. Both of you are in my shitheads for life book and the only way to get out is to apologize to the poster, CC: nanog and ask a good question about the attacks so that we might all learn something.

Sooner or later another big attack like the last one is going to hit us. Don't kid yourself. During the last one all those companies got lucky that the attacker decided to turn it off.

This is pathetic. Someone asks for help and you demean them with jokes.

Who was joking? I wasn't. I suppose that we should all start posting
"HELP ME!" posts to NANOG instead of sending an email to/calling the NOC
of networks with which we are having issues with DIRECTLY. All the
original poster did was add to the impact of the attack in question. The
attackers can now say, "Look! We kicked SO MUCH BUTT THAT THEY HAD TO GO
WHINE ON NANOG! WE RULE!"

your own network. However, I'm concluding from the type of behavior
displayed that most of you manage nothing larger than a couple T-1s.

Think what you like. I'm sure it isn't the first you've been wrong and
most likely won't be the last.

There is no solution to this problem.

OK. No solution? If that is the case, why are you wasting your time
posting about it?

...ACT AS YOU WOULD LIKE TO BE TREATED.

If I had posted the message the original poster did, I would have FULLY
expected to be blasted/flamed/laughed at. What is your point?

Both of you are in my shitheads for life book and the only way to get out
is to apologize to the poster, CC: nanog and ask a good question about
the attacks so that we might all learn something.

The last time I checked, direct attacks and the use of foul language were
both in violation of the NANOG AUP (Item #4). I believe it is YOU who
owes an apology. [Note: Get him Sue!]

I'd like to apologise to the list for mentioning EFNet and inviting this
group of people with excessively large mouth to brain ratios to post and
further legitimize the noise.

Just to make sure I understand this:

From:
http://www.e-gerbil.net/ras/personal/index.html

I can be contacted by email, on IRC (EFNet) as "humble", or any of those other services which won't be named, usually
as "humble226".

http://www.e-gerbil.net/ras/personal/index.html

Very odd that you use the service yet bash it so much...

I am perfectly capable of using a service yet thinking that most of the
other people who use it are complete idiots. You have proven my point.
Please do NOT continue this thread on the list.

Enough people. It is quite obvious that IRC is a religious topic to a LOT
of people. My original response and Richards original email were intended
as sarcasm. It is not at all uncommon for IRC networks to be under
attack. Since some people take IRC *MUCH* more seriously than one can
imagine (keep the death threats coming) I guess we can't be sarcastic when
someone mentions IRC.

The email that is quoted above from Richard is obviously an apology for
getting involved in the discussion. I can't imaging why you would attack
him for such. I apologise for getting into the discussion. Attack me for
doing so if you must. Do it off list.

Hey, leave Di alone.

I can only hope others are as glib when it's your network or hosts under
attack. After all, we should all sit in judgement as to the validity of
other peoples packets. That's what makes the Internet work, right?

Sincerest regards,

This is pathetic. Someone asks for help and you demean them with jokes.

Who was joking? I wasn't. I suppose that we should all start posting
"HELP ME!" posts to NANOG instead of sending an email to/calling the NOC
of networks with which we are having issues with DIRECTLY.

snip

Have you ever tried emailing or calling the NOC of a Korean NSP for assistance?

We recently ahem, "entertained" a huge (100Kpps +) DDOS from Korean IPs. Even UUnet couldnt block it. We lost that $30k/m customer.

Anyone have the email address for the KrNOG list

jm

unsnip

Jon,
Perhaps when you have an attack, as you do quite often, you should call
our support number?? There is no reason we can't filter/block this traffic
for you...

If you have a ticket for the incident in question I'd be happy to look
into this.

--Chris
(chris@uu.net)