Of the DDOS attacks I have had to deal with in the past year I have seen
none which were icmp based.
As attacks evolve and transform are we really to believe that rate limiting
icmp will have some value in the attacks of tomorrow?
-Gordon
> We have a similarly sized connection to MFN/AboveNet, which I won't
> recommend at this time due to some very questionable null routing
they're
> doing (propogating routes to destinations, then bitbucketing traffic
sent
The folks doing the attacking aren't 100% stupid... If their tcp flooder
fails they will attempt udp then icmp or some other serial list of
flooding tools. A large number of the 'bot' programs today have multiple
flooding tools on them, so attempt proto X, if !success then attempt proto
Y and so on 
Rate-limiting ICMP is 'ok' if you, as the provider, think its worthwhile
and you, as the provider, want to deal with the headache phone calls...
It might not stop everything, but in reality nothing really can If
someone really wants your site/system/server off the network its as good
as gone.
-Chris
Would it be fair to say that UUNET haven't been asked by Homeland Security
to do the rate limiting that GLBX claim they have been asked to do? Has
anyone else been asked to rate limit by the U.S. Department of Homeland
Security?
Rich
> Rate-limiting ICMP is 'ok' if you, as the provider, think its worthwhile
> and you, as the provider, want to deal with the headache phone calls...Would it be fair to say that UUNET haven't been asked by Homeland Security
to do the rate limiting that GLBX claim they have been asked to do? Has
That is not fair at all 
DHS asked 'all ISPs' to filter 'all relevant
traffic' for this latest set of MS worm events. Some ISPs did the
filtering in part or in whole, others didn't...
I would think that any ISP should have made the decision to take action
not based on DHS's decree, but on the requirements of their network. So,
if the ISP's network was adversely impacted by this even, or any other,
they should take the action that is appropriate for their situation. That
action might be to filter some or all of the items in DHS's decree, it
might be to drop prefixes on the floor or turn down customers, or a whole
host of other options.
Doing things for the govt 'because they asked nicely' is not really the
best of plans, certianly they don't know the mechanics of your network,
mine, GBLX's, C&W's or anyone elses... they should not dictate a solution.
They really should work with their industry reps to 'get the word out'
about a problem and 'make people aware' that there could be a crisis.
Dictating solutions to 'problems' that might not exist is hardly a way to
get people to help you out in your cause Oh, and why didn't they beat
on the original software vendor about this?? Ok, no more rant for me
anyone else been asked to rate limit by the U.S. Department of Homeland
Security?
Just about everyone with a large enough US office was asked by DHS, in a
public statement...
As attacks evolve and transform are we really to believe that rate
limiting icmp will have some value in the attacks of tomorrow?
no. nor those of today. the only way we're going to flatten the increase
of attack volume, or even turn it into a decrease, is with various forms of
admission control which are considered "the greater evil" by a lot of the
half baked civil libertarians who inhabit the internet at layer 9.
for example, edge urpf. for example, full realtime multinoc issue tracking.
for example, route filtering based on rir allocations. for example, peering
agreements that require active intermediation when downstreams misbehave.
"you can have peace. or you can have freedom. don't ever count on having
both at once." -LL (RAH)
I have a different question, mostly directed to the likes of AT&T and
GlobalCrossing that came out with this fabulous explanation -
(1) Did you get an order from DHS to do that or were you just asked?
(2) How did DHS managed to not know about such order?
(3) Are you going to bend over and do everything DHS politely asks
you to do?
Thanks,
Alex
> anyone else been asked to rate limit by the U.S. Department of Homeland
> Security?
Just about everyone with a large enough US office was asked by DHS, in a
public statement...
Isnt there a difference between "we have been asked" and "we have been
ordered to"?
Alex
I suppose there is, but DHS's request (order/asking whatever) was NOT in
the form of a court order... its:
(ouch, how about: http://tinyurl.com/li0i )
and/or
Neither is really an 'order' so much as a 'suggestion'.. either way, its
kind of inappropriate to make this suggestion without knowing how each
operator can or could apply a fix... that is my opinion atleast.
Neither is really an 'order' so much as a 'suggestion'.. either way, its
kind of inappropriate to make this suggestion without knowing how each
operator can or could apply a fix... that is my opinion atleast.
The thing is - DHS told us so is the new favourite excuse for operators to
refuse to fix anything that is/or could be broken.
Over last two weeks I have heard the "We have implemented the DHS order" as
the excuse from
- Transport company whose gige transport went from 5ms to 700ms rtt.
- Enterprise IP provider who filtered everything but ICMP/TCP/UDP while
offering multicast services.
- Two different IP backbones as the explanation of ICMP echo-requests being
dropped (the issue was that in reality they were selling multiple
100Mbit/sec connections from 155 link).
Of course, the moment one hears the "DHS told us" line, nothing else can be
done.
Alex
> http://tinyurl.com/li0s
>
> Neither is really an 'order' so much as a 'suggestion'.. either way, its
> kind of inappropriate to make this suggestion without knowing how each
> operator can or could apply a fix... that is my opinion atleast.The thing is - DHS told us so is the new favourite excuse for operators to
refuse to fix anything that is/or could be broken.Over last two weeks I have heard the "We have implemented the DHS order" as
the excuse from
-- snip excuses --
Of course, the moment one hears the "DHS told us" line, nothing else can be
done.
perhaps a change in vendors is in order? I can't see why people would lie
about this, or why they'd listen to the 'request' from DHS in the first
place ;( Oh well.
Selon "Christopher L. Morrow" <chris@UU.NET>:
>
>
> > Rate-limiting ICMP is 'ok' if you, as the provider, think its worthwhile
> > and you, as the provider, want to deal with the headache phone calls...
>
> Would it be fair to say that UUNET haven't been asked by Homeland Security
> to do the rate limiting that GLBX claim they have been asked to do? HasThat is not fair at all
traffic' for this latest set of MS worm events. Some ISPs did the
filtering in part or in whole, others didn't...I would think that any ISP should have made the decision to take action
not based on DHS's decree, but on the requirements of their network. So,
if the ISP's network was adversely impacted by this even, or any other,
they should take the action that is appropriate for their situation. That
action might be to filter some or all of the items in DHS's decree, it
might be to drop prefixes on the floor or turn down customers, or a whole
host of other options.Doing things for the govt 'because they asked nicely' is not really the
best of plans, certianly they don't know the mechanics of your network,
mine, GBLX's, C&W's or anyone elses... they should not dictate a solution.
They really should work with their industry reps to 'get the word out'
about a problem and 'make people aware' that there could be a crisis.
Dictating solutions to 'problems' that might not exist is hardly a way to
get people to help you out in your cause
on the original software vendor about this?? Ok, no more rant for me> anyone else been asked to rate limit by the U.S. Department of Homeland
> Security?
>Just about everyone with a large enough US office was asked by DHS, in a
public statement...
Rough agreement; with a fair amount of
<innocence>... : what about attemtpting to approach the (at least current)
ROOT CAUSE(S) albeit likely fairly (even more than patching the outcome)
cumbersome (but in the long run..)...
</innconcence> 
<ohh>
-- if having bought a car I discover the brakes doesn't really do their job
(in spite of the car, considering other aspects, being (easy|nice) to
drive :), I'd rather (chat|complain) with the vendor, than asking the
highway provider to patch my way along.. building cotton walls.. ('cause
I wouldn't want my highway provider limit my driving experience in the
case I eventually run into a better performing car..). More subtle highway
speed versus security considerations... neglected, of course
</ohh>
mh
http://www.wired.com/news/technology/0,1282,57804,00.html
Mike Fisher, Pennsylvania's attorney general, has sent letters to an
unknown number of ISPs over the past few months demanding that the ISPs
block Pennsylvania subscribers' access to at least 423 websites or face a
$5,000 fine, according to news reports.
[..]
How the blocks will affect law enforcement across North America would
depend on which ISP their departments are using, among other factors. But
Morris pointed out that WorldCom was ordered by a judge to comply with the
Pennsylvania law last September. WorldCom owns UUNet, and the U.S.
government is one of UUNet's biggest customers.
> perhaps a change in vendors is in order? I can't see why people would lie
> about this, or why they'd listen to the 'request' from DHS in the first
> place ;( Oh well.http://www.wired.com/news/technology/0,1282,57804,00.html
Mike Fisher, Pennsylvania's attorney general, has sent letters to an
unknown number of ISPs over the past few months demanding that the ISPs
block Pennsylvania subscribers' access to at least 423 websites or face a
$5,000 fine, according to news reports.
this is a very old article...
[..]
How the blocks will affect law enforcement across North America would
depend on which ISP their departments are using, among other factors. But
Morris pointed out that WorldCom was ordered by a judge to comply with the
Pennsylvania law last September. WorldCom owns UUNet, and the U.S.
government is one of UUNet's biggest customers.
That was a ccourt order, not much any US based corporation can do about
that, eh? Oh, yeah, and it didn't help stop any child pornographers, all
it did was hide their tracks from the authorities 
I suspect most ISPs in the US will follow lawful orders issued by
authorities with jurisdiction. Some may try to also point out how
stupid or ineffective those orders are.
In the last month there have been several worms, viruses and activites
by law enforcement and other authorities related to those. I think some
folks are confusing the various different requests, orders, subpoenaes,
etc.
NIPC/DHS issued an advisory about the RPC/DCOM vulnerability and worm
including suggested mitigation steps including filtering certain ports.
This was a suggestion. Some ISPs followed the advice, some ISPs in
particular some cable modem providers have blocked NETBIOS ports for
a long time.
For the Sobig.F virus the FBI subpoened at least one ISP for records,
which the ISP turned over. Other AHJ's tried to coordinate the shutdown
of the 20 or so IP addresses used by the Sobig.F "controller" which was
supposed to issue directions last Friday. F-Secure also issued a press
release about their cooperating with the FBI to shutdown those systems
just in the "nick of time." Some ISPs cooperated with the AHJ's to
shutdown access to those 20 IP addresses. Since most of the 20 IP
addresses were on cable and dsl providers, the AHJs may have only
contacted those providers for assistance.
I have no idea if UUNET cooperated with the FBI, NICP, DHS or other AHJ
concerning any of the worms or viruses over the last month.
> That was a ccourt order, not much any US based corporation can do about
> that, eh? Oh, yeah, and it didn't help stop any child pornographers, all
> it did was hide their tracks from the authoritiesI suspect most ISPs in the US will follow lawful orders issued by
authorities with jurisdiction. Some may try to also point out how
stupid or ineffective those orders are.
Yes, this is true, and atleast for the cited PA article that was the case
for ALOT of the affected ISP's. (the pointing out of a poor choice of
solutions)
In the last month there have been several worms, viruses and activites
by law enforcement and other authorities related to those. I think some
folks are confusing the various different requests, orders, subpoenaes,
etc.
This is also true, and often the front-line technical service folks are
told: "We were told to do this by the gum'ent, that's our story and we're
stickin' to it!" Which often gets abbreviated to: "Yeah, we were ordered
by the stormtroopers to do this, sorry!"
I have no idea if UUNET cooperated with the FBI, NICP, DHS or other AHJ
concerning any of the worms or viruses over the last month.
Our lawyers tell me we always cooperate when asked with a court order...