As far as tracking DoS, I've read some good papers on the subject and it
always boils down to tracking MAC addresses and going interface by
interface to the source, demanding inter-ISP cooperation, and finally
legal assistance. This has been tried during a few severe instances with
poor results.
That's the obvious solution to the problem if the problem is how to track
down the source(s) of a DoS attack. However, in any DoS attack, there is
always a victim and one or more devices sending attack traffic to the
victim. The owners of the attacking devices are accessories to the crime
although I'm sure they could plead ignorance and avoid any liability. But
what if they could not plead ignorance? What if we could identify some of
the attacking devices, and what if the victim sent a legal "cease and
desist" letter to the owners of the attacking devices? Now, the victim is
in a position to sue the owners of these attacking devices if they don't
fix the problem by securing their machines. And once this happens and gets
some press coverage, a whole bunch of other machine owners will wake up
and realize that they could be stuck with big legal bills if they don't
secure their machines.
So, to restate the problem, how do we identify some of the sources of a
DoS attack quickly, maybe even while the attack is still in progress?
Bots/Zombies are traded openly on IRC and there is no
accountability for personal security. ISPs won't shut someone down
because they've been "hacked", merely send them a warning Email or
call--a process that takes days in my experience.
How many ISPs would identify the user of an IP address for the purposes of
sending a "cease and desist" letter when contacted by a lawyer?
Considering that failure to provide the identity would result in the ISP
themselves getting sued by the DoS victim? As long as *SOME* ISPs would
cooperate with a DoS victim, there is enough to get the legal ball
rolling. The alternative is to painfully backtrack until you find an
uncooperative ISP and then sure them.
As I said before, if there was a central registry something like
dshield.org that collected data on the destination IP addresses of DoS
attacks along with estimated magnitude based on analysing the traffic from
random source addresses blocked by ingress filters, then we have something
an ISP can use to analyze their outgoing traffic. If you are an ISP and
you have netflow data that contains destination addresses which also occur
in the DoS victim registry then you should be willing to act on that data.
Of course, it's up to you what you do with it. You may offer the DoS
victim the identity of the source provided that they serve you with the
right legal documents. Or you might go to the owner of the machine
yourself with the evidence and warn them that they are aiding and abetting
cyber terrorists and could suffer the legal consequences if they don't
secure their machines.
It's certainly not perfect but it's worth a try.
--Michael Dillon
