My opinion:
A tier 1 provider does not care what traffic it carries. That is all a function of the application not the network.
A tier 2 provider may do traffic shaping, etc.
A tier 3 provider may decide to block traffic paterns.
Chiloé Temuco wrote:
My opinion:
A tier 1 provider does not care what traffic it carries. That is all a
function of the application not the network.
Providers should start caring about what they're carrying. Haven't seen
one message yet about the hording of "Storm Bot" and what someone is
doing to nip this at the bud. Who better than the big boys. After all
what happens when someone launches this botnet at say Mae-East/West or
some other backbone.
More or less... The network was intended to move data from one machine
to another... The less manipulation in the middle the better... No
manipulation of the payload is the name of the game.
Less manipulation = bad theory/design. Again using examples such as
Nimda, Code Red, etc., why is it that engineers can sit around spend say
- I don't know - an hour a day answering reDumbdant NANOG posts yet
these same engineers can't spend 5 hours in one week looking at "up and
coming" hurricanes on the horizon (Storm Bot anyone). Yet they can spend
another 5 hours a week bitching and moaning about who was on first and
how that bot get on second and it's all Michael Dillon's fault because
it started someone on BT, and then Gadi Evron warned you last month but
you bitched him out so you're now waiting on the gracious Mr. Bellovin
to re-write an entire protocol or say "wow that's a good idea!"...
SO something similiar to BGP is your inter-AS protocol for establishing
what is where...
I'm all for it. Let's get another working group to implement this right
after IPv6 in the year 3000. As for the rest of the email... Sorry got
too cumbersome. I was busy writing a response to the next NANOG thread.
Chilo� Temuco wrote:
> My opinion:
>
> A tier 1 provider does not care what traffic it carries. That is all a
> function of the application not the network.Providers should start caring about what they're carrying. Haven't seen
one message yet about the hording of "Storm Bot" and what someone is
doing to nip this at the bud. Who better than the big boys. After all
what happens when someone launches this botnet at say Mae-East/West or
some other backbone.
sniff... mae-east. fond memories... now if ANYONE could
launch anything from mae-east these days, I'd be really impressed.
> SO something similiar to BGP is your inter-AS protocol for establishing
> what is where...I'm all for it. Let's get another working group to implement this right
after IPv6 in the year 3000. As for the rest of the email... Sorry got
too cumbersome. I was busy writing a response to the next NANOG thread.
does this mean we have to implement Terrells tribit encoding?
--bill
I doubt if anybody would notice a DDoS attack against MAE-East. 
And we're unlikely to see many major DDoS attacks against backbones, for
a number of reasons:
1) You need a pretty big hose, or a *lot* of computers to do it.
2) The people with botnets tend to fall into 2 major groups: ankle-biters and pros.
2a) The ankle-biters don't hose down backbones because (1) they don't usually
even know what a backbone is, and (2) they're usually too busy pointing their
DDoS tools at some other ankle-biter or IRC admin that cheesed them off. Yes,
these guys have taken out a few mid-tiers, but it's accidental collateral
damage, not the intended target.
2b) The pros don't hose down backbones, because if a backbone is down, they
can't make money from their now-disconnected botnet.
Yeah, a concerted effort probably *would* take out AS701 or similar. But we
don't see it happen often, because the people who have the ability to do it
also realize that while AS701 is out napping, their other business ventures
are taking a hit from the lost connectivity...
I doubt if anybody would notice a DDoS attack against MAE-East.
Who was it that doubted anyone would need more then 1024k of memory?
1) You need a pretty big hose, or a *lot* of computers to do it.
I would hope some have been reading news reports where its alleged this
particular botnet is over 1.7 million machines deep.
2a) The ankle-biters don't hose down backbones because (1) they don't usually
even know what a backbone is, and (2) they're usually too busy pointing their
DDoS tools at some other ankle-biter or IRC admin that cheesed them off. Yes,
these guys have taken out a few mid-tiers, but it's accidental collateral
damage, not the intended target.
Come on now surely you don't believe this to be the only cases where
idiots us botnets. Have you not read the reports of morons hosing a
network for randsom.
2b) The pros don't hose down backbones, because if a backbone is down, they
can't make money from their now-disconnected botnet.
Re-read above statement
Yeah, a concerted effort probably *would* take out AS701 or similar. But we
don't see it happen often, because the people who have the ability to do it
also realize that while AS701 is out napping, their other business ventures
are taking a hit from the lost connectivity...
For years now I contemplated how long would it be before someone created
the ultimate botnet/backbone killer. I've always wondered "Hrmm... How
would I COUNTER this if x happened." I've rambled on about it for I
don't know 8 years now, starting with "Theories in DoS" before DDoS was
really even pimped out by Dave Dittrich... People thought (probably
still do think) I was (am) looney. My guess is, give or take a few years
and you will get that one pissed off person to lay the smack down on
peers worldwide.
When this happens (hopefully it won't), I'll sit back and ramble on some
more with "that's so yesterday... I predicted it a "real long time ago"
(www.infiltrated.net/chappelle.mp3) then go back to rambling on as I
always do.
If anyone is running a large enough network that they can't mitigate this it would suprise me, and they would deserve to be taken out. Unless all these bots are directly connected (direct customer) and concentrated on one portion of the network (not spread across the entire access layer) I can't imagine with the tools, features, products, etc that are available today (that can almost manage dDoS attacks for you) that it couldn't be mitigated. 5-6 years ago this would have been a lot tougher, but it was still doable.
It would be interesting to get into a really technical architectural discussion. I have my ideas as to how to manage it, I'm sure others do as well, and differently. And ASN701 as mentioned specifically has someone who was able to manage these things 5-6 years ago in Chris Morrow (assuming you're still there). He helped us quite a bit back in those days, and without all the toys that are out there today.
J. Oquendo wrote:
We could go stand on the roof of either 8100 Boone or 1919 Gallows and
throw something off (maybe an old 7507). Would that count?
--Jeff
So if someone had a moderately large botnet (100k hosts) and these had an average broadband speed of say 2Mbps .. you are saying that 200Gb of traffic can be handled?
Given that the fastest edge connections (outside of Peter Lothbergs bathroom) are 10Gb this traffic can easily be directed to take out multiple parts of a networks critical connectivity.
Steve
Unless all these bots are directly connected (direct
customer) and concentrated on one portion of the network (not
spread across the entire access layer) I can't imagine with
the tools, features, products, etc that are available today
(that can almost manage dDoS attacks for you) that it
couldn't be mitigated. 5-6 years ago this would have been a
lot tougher, but it was still doable.
Remote triggered BGP blackhole filtering comes to mind
ftp://ftp-eng.cisco.com/cons/isp/security/Remote-Triggered-Black-Hole-Fi
ltering-02.pdf
And if the bots are directly connected or concentrated in one point of
the network, it seems to me that simple ACLs can mitigate the attack.
I agree that DDoS is not likely to take down a network big enough to be
called a backbone unless there is some kind of unforeseen side effects
to the DDoS.
--Michael Dillon
Stephen Wilcox wrote:
Given that the fastest edge connections (outside of Peter Lothbergs bathroom) are 10Gb this traffic can easily be directed to take out multiple parts of a networks critical connectivity.
(removed annoying cc's)
Well I was actually hoping Mrs. Lothberg would be the next
MAE-Scandanavia backbone provider. Do the math (anyone):
// SNIP
“The number of unique, infected hosts (bots), from which the attack is
being launched by email, has also increased dramatically,” said Stewart.
“They went from 2,815 in the beginning of 2007 through the end of May to
a total of 1.7 million for the months of June and July.”
http://www.darkreading.com/document.asp?doc_id=130745
// END SNIP
Let's say its exaggerated and say this botnet is 1/4 of this size:
425,000 hosts waiting for a C&C dumbarse to launch a command. Something
simple ping... 64bytes * 425,000 hosts = 25MB ... ping -s 128 or higher?
A GET|HEAD|POST|etc would kill my server before the majority of traffic
even eeked its way through. Bad scenario ... Cause a flap between two
heavy peers (see Randy Bush's take on dampening/flapping). I could see
this become a problem no matter what you think you can throw at it.
Somewhere, someone down the line, will have something a bit
misconfigured/*oops I forgot to place tcp intercept here*/etc and will
cause some "could have been avoided if one woke up and smelled the
coffee" scenario which will cause a major outage. Poop happens when you
let it, why not open ones eyes now and be alert/aware of what's out
there and make sure solutions are in place before its too late.
Then again, I wonder what outside of massive filtering on fwsm's can one
do in a situation like this. Its not like these are spoofed connections
which something like tcp intercept would be able to mitigate against.
RFC1918 filtering... Useless. Different story if there was filtering on
provider side that says "Hey gee... This botnet that's 1.7 million
strong is connecting on port xxxxx, let me take a pre-emptive strike and
monitor this"
+207.0 % Slammer variant as of yesterday... School is what one two weeks
away. Synonymous with all sorts of new improved crap... I can't for the
life of me figure out why some of the best engineers in the world who
are on this and other networking lists shrug these things off. Makes me
wonder who profits via bandwidth sales from this. Someone obviously will
irrespective of how rude, condescending it sounds.
Maybe I shouldn't have made a blanket statement considering the audience, my bad. My point was more that for most attacks not specifically directed at the network gear itself, meaning packets traversing the network, can potentially be managed. Shutting down an interface if you can find where it enters your network, and maybe if there is a pattern that can be matched on and null routing that traffic, etc. Short of terrorism (disruption without any purpose other than disruption itself) most bot nets were designed to accomplish something, usually that something isn't taking out the highway that earns them income. Maybe a target on the highway that causes them problems earning said income being knocked offline.
Stephen Wilcox wrote:
> sniff... mae-east. fond memories... now if ANYONE could
> launch anything from mae-east these days, I'd be really impressed.We could go stand on the roof of either 8100 Boone or 1919 Gallows and
throw something off (maybe an old 7507). Would that count?
nope... terminal velocity is not what we are after here...
looking for more thrust 
I
can't for the life of me figure out why some of the best
engineers in the world who are on this and other networking
lists shrug these things off.
What evidence do you have that some of the best engineers in the world
are on these lists?
My impression is that there are a lot of good engineers on these lists
with occasional flashes of excellence, but what they are best at is
communicating. After all, mailing lists are primarily about
communicating, not about engineering. The best engineers in the world
are elsewhere, busy engineering.
--Michael Dillon
Hmm... what hardware upgrades would make a 7507 rfc1925, section 2.3 compliant?
unless they are not 'in' the network and hence cant be stopped internally and have the potential to overwhelm any external interface.. these cannot be mitigated without cooperation from other networks
Steve