A couple of days ago I mentioned here that I have nullrouted the IP which whitehouse.gov resolves to. After that I received some mail in private
mentioning not only the fact that I filtered the wrong IP (that's fixt
now) but also the dangers of posting about such a thing here. "Hey, he
nullroutes them, let's do it too!".
My decision to nullroute whitehouse.gov was based on the following:
- the traceroute from my net to whitehouse.gov goes through AT&T which
means that any DoS packets originating from our network will affect that
network too;
- my customerbase is not that type that would visit whitehouse.gov
frequently nor would whitehouse.gov (if coming from that IP as a source)
be interested in any of my customers;
- most of the boxes in our network have a 100mbit/s nic in their box. Our
main uplink is a STM-1 at the moment so if a colocated NT box would be
compromised, that would give a huge effect. Imagine what would happen if 2
or three boxes are infected.
After careful consideration we (our engineering team and the CEO) decided
we would not want to be a part of any attacks against the US government or
any other network.
If you have any reasons to believe you need to blackhole whitehouse.gov
please do so, but don't blackhole just because others do it as well.
I understand your need to do something like this, but you are
essentially causing the worm to fulfill it's goal and
censoring your customers. I worried that many people would do this.
Why not just use outbound Cisco ACLs on your CPE, Core, and Border
routers to permit and log the traffic to the one IP address being
attacked and them contact the people who have hacked machines? Or,
if you must use the ACLs to deny the packets with the goal of
identifing machines and getting them fixed.
Here is another email:
CAUTION: Misused ACLs can blow up your hardare. This could fill your
syslog server with logged packets.
This ACL will have to be applied on an interface in an outbound
direction.
So, to permit the traffic and log it do this:
interface s0/0
ip access-group 199 out
access-list 199 permit tcp any host 198.137.240.91 eq 80 log
access-list 199 permit tcp any host 198.137.240.92 eq 80 log
You should already be logging packets to a syslog server.
To make deny rules just change the permit to deny. However, this is
kind of drastic and almost amounts to censorship.
No, since it is known that the provider hosting www1 and www2.whitehouse.gov has already blackholed www1, and www.whitehouse.gov
only resolves to www2 now.
And then there's the big difference between operational stability and
poltical stability, of which operational is the primary concern to me at
least.
Yes, because your fix is for this worm and luckily it only attacks www1.
The next one might not be so benign and blackholing routes is not the
answer. Also, it makes it harder to ID infected hosts so you can fix them.
Blackholing routes doesn't prevent you from identifying possibility infected hosts. It simply means that you're not going to participate in the abuse of anothers network and/or host. You can still log the traffic destine for the target.
Moreover, bbn (whitehouse.gov's upstream) is blackholing it
themselves, why would you NOT blackhole it and waste your bw when
it's gonna get blackholed along the way anyway?
I understand your need to do something like this, but you are
essentially causing the worm to fulfill it's goal and
censoring your customers. I worried that many people would do this.
Why not just use outbound Cisco ACLs on your CPE, Core, and Border
routers to permit and log the traffic to the one IP address being
attacked and them contact the people who have hacked machines? Or,
if you must use the ACLs to deny the packets with the goal of
identifing machines and getting them fixed.
Outbound ACL's are an option but then you would have to be sure that they
are sending the packets to port 80.
access-list 199 permit tcp any host 198.137.240.91 eq 80 log
access-list 199 permit tcp any host 198.137.240.92 eq 80 log
You should already be logging packets to a syslog server.
We already log every packet coming by on a machine which counts the
traffic so any infected box will be identified soon.
To make deny rules just change the permit to deny. However, this is
kind of drastic and almost amounts to censorship.
Censorship is a way to see it, I prefer to call it operational prevention
of a DoS attack. The risk of "censoring" two IP's over DoS'ing an entire
network is one I can explain to angry customers (if there are any).