Pakistan has been suffering a 40 day DOS attack, disrupting most of the
International Internet service in the country.
The Pakistan Government, Minister for IT & Telecom, has "directed" the
Pakistan Telecommunications Corporation to sign service level agreements
to ensure 99% Internet availability.
Over 200 official(government?) websites have been inaccessible for over
three weeks.
http://www.paknews.com/main.php?id=5&date1=2003-05-05
"Within a period of five days, the body has been assigned to formulate
a concrete strategy to stem the incidence of DoS attacks.. The
committee will work on urgent basis and suggest short-term measures
within two day."
> The Pakistan Government, Minister for IT & Telecom, has "directed" the
> Pakistan Telecommunications Corporation to sign service level agreements
> to ensure 99% Internet availability.
>
I suppose contacting upstreams for traceback and filtration isn't
something they want to do??
Progess though.. with only a 99% SLA they'll shift from a 40-day outage
to only a 4-day outage...
Wasn't clear to me whether their DoS problems were from within or from outside. If from outside, they certainly SHOULD think about asking for help from their upstream(s).
I may not be on the correct lists to hear about the local Pakistan ISP
scene, but I didn't find much technical information about what was
happening.
The attacks APPEAR to be originating from India and a virus called YAHA
which targets certain Pakistan government web sites, .PK top-level domain
name servers and the primary Internet exchange in Pakistan. Most of the
Pakistan Internet traffic is funneled through a single exchange point and
official provider PTCL. Good for intelligence agencies, bad for
reliability and DDOS survivability.
YAHA variants have been circulating since last June. The infected
computers are inside and outside of Pakistan, and continuing to increase
So you need to solve
1. Viruses
2. Spam
3. DDOS
I suppose you could renumber/rename Pakaistan. But when the next
variant of Yaha was released, it would probably just include the
updated information.
One of the government ministers suggested moving some of the official
sites to the colocation in the US. It might help in the short term, since
the US has excess bandwidth and can absorb the attacks longer.
Two (of three) of the PK servers are in the US (in AS701). If the attacks were happening due to some generally-distributed windows worm, and were targetting the PK servers with any degree of ferocity, you'd think this would be more than just a South Asian problem.
It's possible, of course, that the extremely different scales of infrastructure deployment in South Asia compared with the 701 backbone could cause the same attack traffic to be highly disruptive to the former, and yet barely noticable by the latter.
Another example of how lack of splay allows DDOS to devastate a network.
Paul Vixie's presentation on anycast F root server provided good points
about splay. They need more peer points and sites, not a move from point
A to point B.
Another example of how lack of splay allows DDOS to devastate a network.
Give it up on the splay argument please. Maybe in poorly engineered
networks you need a high splay factor (high being user defined).
The point is all moot, considering how easy it is to make a router
go explody today. High splay or not, it isn't going to do jack
when your boxes crash.
My apologies to those I offended - using this term was laziness rather
than deliberate insensitivity. Thanks to those who have pointed this out
off-list as well.
The Pakistan Telecommunications Company Ltd has aquired a firewall to
solve the DDOS situation impacting Internet service in the country. An
unnamed security advisor asserted the proper use of a firewall would
control the DDOS attacks and prevent hacking.
I can understand the Pakistan government minister's frustration, and
desire to get things fixed. Unfortunately, it seems like security
incidents also attract security snake oil consultants. Buy my tonic
to cure your ills.
The Pakistan Telecommunications Company Ltd has aquired a firewall to
solve the DDOS situation impacting Internet service in the country. An
unnamed security advisor asserted the proper use of a firewall would
control the DDOS attacks and prevent hacking.
wow, unbelieveable
I can understand the Pakistan government minister's frustration, and
desire to get things fixed. Unfortunately, it seems like security
incidents also attract security snake oil consultants. Buy my tonic
to cure your ills.
No research, quick-fix which of course will not fix anything ugh.
Date: Tue, 6 May 2003 19:28:48 -0400 (EDT)
From: Sean Donelan
The Pakistan Telecommunications Company Ltd has aquired a
firewall to solve the DDOS situation impacting Internet
service in the country. An unnamed security advisor asserted
the proper use of a firewall would control the DDOS attacks
and prevent hacking.
Now the DDoS melts the pipes _and_ the firewall. I'd like to
know if said "consultant" ever considered recommending the PTC
contact their upstreams for help with backtrace/blocking. Anyone
with a modicum of clue (or Google access) should figure out that
one...
] Now the DDoS melts the pipes _and_ the firewall.
Bonus prize: A DDoS that wouldn't fill the pipe melts the firewall.
On the bright side the firewall will likely fail long before the
attack causes any noticeable pain to the components it is in place
to protect.
> Date: Tue, 6 May 2003 19:28:48 -0400 (EDT)
> From: Sean Donelan
> The Pakistan Telecommunications Company Ltd has aquired a
> firewall to solve the DDOS situation impacting Internet
> service in the country. An unnamed security advisor asserted
> the proper use of a firewall would control the DDOS attacks
> and prevent hacking.
Now the DDoS melts the pipes _and_ the firewall. I'd like to
know if said "consultant" ever considered recommending the PTC
contact their upstreams for help with backtrace/blocking. Anyone
with a modicum of clue (or Google access) should figure out that
one...
Not every upstream is as clueful as Uunet, and not every noc employee is as
clueful as Chris and Brian at UUnet.
It has been my experience that most upstreams have no concept that they CAN
backtrace, and generally have no interest in helping you do it. I'm not
mudslinging here, so I won't say who my experience is with, but a few
transitless/near transitless upstreams I've dealt with were most unhelpful,
either because they didn't know how to help, or worse, they did know how to
help and didn't care.
And, depending on the nature of the DDoS attack, perhaps it isn't related to
saturation, but rather to overloading router processors, or something else
that can effectively be filtered customer-side?
Our policy as of late has just been to make sure we have equipment on our
side fast enough to filter at wire speed, and get enough capacity to our
upstreams that it is signifigantly unlikely that anyone could generate
enough traffic to saturate it (in which case, we would have no choice but to
ask carriers to filter, and backtrace).
Unless you actually call UUnet and your not a customer, God help you then.
Some companies are very very good at dealing with DDOS, Internap being one
and UUNET if you are a customer another. Even a post here although maybe
not exactly proper will get you responses from people like Chris and so on
who can and will be helpful.
I don't know why people keep saying that. I've spoken to UUnet many times on security issues, sometimes as a customer, sometimes not, and every time I've gotten exactly the response I wanted and support above and beyond what I needed.
Hell, I even got a lot of support when it was "my friend over here claims to be under attack".
Am I lucky, or are others just repeating what they want to hear?
] Am I lucky, or are others just repeating what they want to hear?
Nope, it's not luck. UUNET has always been extremely responsive when
I've called them. I've called them countless times, and I think only
one time was as an official customer.
