monkeys.dom UPL being DDOSed to death

Hi,

#This goes beyond spam and the resources that many mail servers are
#using. These attacks are being directed at anti-spam organizations
#today. Where will they point tomorrow? Many forms of breaking through
#network security require that a system be DOS'd while the crime is being
#committed. These machines won't quiet down after the blacklists are shut
#down. They will keep attacking hosts. For the US market, this is a
#national security issue. These systems will be exploited to cause havoc
#among networks of all types and sizes; governmental and commercial.

Note that not all DNSBLs are being effectively hit. DNSBLs which run with
publicly available zone files are too distributed to be easily taken down,
particularly if periodic deltas are distributed via cryptographically
signed Usenet messages (or other "push" channels). You can immunize DNSBLs
from attack, *provided* that you're willing to publicly distribute the
contents of those DNSBLs.

And when it comes to dealing with the sources of these attacks, we all
know that there are *some* networks where security simply isn't any sort of
priority. (For example, make it a practice to routinely see what ISPs
consistently show up highly ranked on incident summary sites such as
http://www.mynetwatchman.com/ ).

Maybe the folks running those networks are overworked and understafffed,
maybe they have legal constraints that limit what they can do, maybe their
management just don't care as long as they keep getting paid. Who knows?
Whatever the reason, no one is willing to depeer them or filter their
routes, so they really are free to do absolutely *nothing* about
vulnerable hosts or abusive customers.

There are absolutely *no* consequences to their security inactivity, and
because of that, none of us should be surprised that the problem is
becoming a worsening one.

Regards,

Joe St Sauver (joe@oregon.uoregon.edu)
University of Oregon Computing Center

china seems hellbent on becoming a LAN. i see the same thing eventually
happening to networks which refuse to deal with their ddos sources.

-Dan

http://www.openrbl.org

is also offline due to a DDoS.

         ---Mike

Well.. that's all fine and good, except we first need one large player to
put their foot down and say "That's enough of this manure, we're depeering
you and blocking your prefixes till you clean up your act".

Once *one* big player does that, your "eventually happening" will be pretty fast.

Joe St Sauver wrote:

Note that not all DNSBLs are being effectively hit. DNSBLs which run with
publicly available zone files are too distributed to be easily taken down,
particularly if periodic deltas are distributed via cryptographically signed Usenet messages (or other "push" channels). You can immunize DNSBLs
from attack, *provided* that you're willing to publicly distribute the contents of those DNSBLs.

Actually, SBL has had a lot of issues. The issue isn't always with the dns zones. It is true that one can distribute the zones to make dDOS more difficult; although not impossible. However, in the case of SBL, they have had issues with the web servers being dDOS'd. The ability to lookup why a host is blacklisted, and in the case of relay/proxy lists to request removal, is also important.

There are still a lot of blacklists out there; njabl, ordb, dsbl, reynolds, sbl, and spews (in a round about sort of way). Yet what happens when a business desides to destroy his competitor's website? What happens when someone decides they don't like magazine X or vendor X and attacks their web farms? Shall the Internet be called akamai? Don't get me wrong. It's a good service, but not invulnerable. windowsupdate.com can still be brought to it's knees if the attacker is persistant enough.

Of course, when big money businesses are involved, things get done. Yet what about the smaller business or the charity? What about critical infrastructure? Does anyone claim that MAE East and West couldn't be made inoperational by dDOS? How does that shift the network and peering? What are the ramifications?

Of the various RPC worms, spybot is the most malicious in intent. Yet what if parts of Swen/Gibe/Sobig.F were incorporated into blaster. Process terminations to make repair difficult and to open the computer to other viruses and vulnerabilites. Installed proxy servers and bots. Keyloggers. Now collect your information, gather your bots, and watch a single phrase create destruction.

Things have not improved over the last year. They have gotten worse. The Internet is more malicious than ever. It is quickly becoming the Inner City Projects of communication. Greed and hatred created some of the worst neighborhoods in the world. The same concept will apply to network. If action isn't taken, it will get worse. More money will be lost over the coming years. Many people will be hurt. Communication will be impaired.

Question: Why is it not illegal for an ISP to allow a known vulnerable host to stay connected and not even bother contacting the owner? There are civil remedies that can be sought but no criminal. Bear in mind, these "vulnerable" hosts are usually in the process of performing malicious activity when they are reported.

Ron has reported many of the IP addresses that dDOS'd monkeys.com. Under the same token, Ron has also reported to many ISP's about spammers which have abused servers under his control, scanning and utilizing open proxies; which is theft of resources. Why is nothing done about these people? Why is the ISP not held liable for allowing the person to continue in such malicious activity?

-Jack

But what's the business case for doing so? Unless enough of their customers
are pissed off, it's not going to happen. Most users don't know enough about
it to complain to their provider so it becomes a bottom line issue.

In my recent experience, many, many network operators in North America and Europe who are really, really bad at tracking back source-spoofed DDoS traffic through their networks (there are also some notable, fine exceptions I've dealt with recently, who know who they are and should not feel slighted by this generality).

If transit was uniformly denied to every operator who was not equipped to deal with DDoS tracking in a timely manner, I think 90% of the Internet would disappear immediately.

This is not just an Asian problem.

(Incidentally, I think if one big player suddenly decided to throw away the millions of dollars of revenue they earn through providing transit to east Asian countries, the likely effect would be another grateful big player leaping in to take over. I don't see a future in which the well-being of users in other peoples' networks trumps income.)

Joe

Dan Hollis wrote:

china seems hellbent on becoming a LAN. i see the same thing eventually happening to networks which refuse to deal with their ddos sources.

This invites the question if the hijacked PC or the hijacker in the sunshine state is more
guilty of the spam and ddos?

I would expect disconnecting .fl.us have more positive effect to the Internet as whole
than would .cn.

Pete

it gets worse. there are operators who *are* equipped, but refuse to deal
not only with ddos tracking but with shutting off confirmed sources within
their networks. the response is 'we will deal with it when we get a
subpoena'.

-Dan

the operator hosting the hijacked PC is guilty if they are notified and
refuse to take action. which seems to be all too common these days with
universities and colocation companies.

-Dan

And the ignorance of front-end personnel in LE agencies, unless you are
the NY Times and claim $500,000 in purely fictious damages, can be a bit
frustrating.

Spamcop and Spamhaus have been undergoing intense DDoS attacks for
months, and I am only partially aware how they are being mitigated.

If certain large operators can donate bandwidth and equipment for
IRC servers in locations with OC-12 and better connectivity, AND
live through the DDoS attacks that come with it, why not step forward
and provide some forwarding-proxy service for some of the websites
and distribution sites for DNSBLs, plus possibly proxying DNS traffic?

OpenRBL.org has stated (http://www.openrbl.org/index-2.htm) that the
bandwidth required for actual application traffic can be very low
(0.5Mbps or less), not counting DDoS traffic.

No arrangements of that kind have to be public knowledge.

Other measures:

- Got a spare /20 that can be used to make the forwarding proxy hop around
  a bit, every 5 minutes or so, with DNS TTLs in the 10-minute range?

  It's been done with 'moving-target' spamvertised sites like
  optinspecialists.info , which is currently using a LARGE number of
  compromised Windows hosts illegally to proxy DNS and HTTP traffic for
  them. They've been doing it for weeks. Do the registrars care? Hell no.
  (see morozreg.biz, bubra.biz, the domains used for DNS, domains you
  probably want to add local zone overrides for, in your nameservers,
  not your HOSTS file. Now we know how Al-Quaeda is hiding their websites,
  at last.

  It would be trivial to 'sinkhole' DoS traffic still going on to IPs of
  the recent past, greatly increasing the chances of catching the
  perpetrators as they keep switching their trojans to new IPs,
  hitting a few fully-sniffed honeypots while they are at it.

- BGP anycast, ideally suited for such forwarding proxies.
  Anyone here feeling very adapt with BGP anycast (I don't) for
  the purpose of running such a service? This is a solution that
  has to be suggested and explained to some of the DNSBL operators.

If someone reading this has gone forward with a private mailing list to
discuss all these issues, I'd be happy to receive an invitation to donate
my [lack of] smarts to the cause.

bye,Kai

Anyone want to offer hardware, colo, bandwidth and a bgp session for a dnsbl anycast solution?

At the very least it could be some excellent PR for a provider to have.

Justin

they still make static targets for ddos, the only difference is theres
a few more of them.

-Dan

Yep

Dan Hollis wrote:

the operator hosting the hijacked PC is guilty if they are notified and refuse to take action. which seems to be all too common these days with universities and colocation companies.

In many cases they also are incompetent or incapable of taking action since there is hardly
any "Disconnecting abusers for dummies" books on the shelf.

Not that incompetence would work too well as defence, but you would have to take
it that far or have some way of getting the abusers off the network without waiting for
the slow and incompetent and deal with the consequences of mistakes later.

Pete

Kai Schlichting wrote:

Hi Matthew,

>If someone reading this has gone forward with a private mailing list to
>discuss all these issues, I'd be happy to receive an invitation to donate
>my [lack of] smarts to the cause.

I'm trying to get the funds together to create a free for free DNSbls
anycast network, however it's not cheap, and the idea hosters are not
gonna do it for free.

I am sure there are plenty of people on the list willing to support this.

Bye,
Raymond.

Hi!

http://www.openrbl.org

is also offline due to a DDoS.

The official announcememt can be read here:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&newwindow=1&safe=off&selm=vn1lufn8h6r38%40corp.supernews.com

Bye,
Raymond.