RE: DDoS attacks

From: up@3.am [mailto:up@3.am]
Sent: Thursday, July 12, 2001 7:23 AM

I can't help but believe that if even 20% of them
were caught and had to spend just a little time (even hours) with the
cops, and had their peecees confiscated, you'd not be seeing
nearly the problems we are now.

This is the main point, a script-kiddie hunt, with prosecution, is the ONLY
real deterrent. Throw some of them in hotel greybar and remove them from
computing, for life, and we may see some of this turn around.

If a lady wears skimpy clothing, does she deserve to get raped? Obviously,
not. If a computer has skimpy protection, does it deserve to be turned into
a zombie? Simply because you forget to lock your car one night (whilst in
your driveway), do you deserve to have it stolen? If you leave a $100 on
your kitchen table, in your unlocked house, whilst you are working in your
garage, do I have the right to sneak in the back door and take it while
avoiding prosecution, on the grounds that you were careless? WRT EFFnet,
does a prostitute deserve to be raped?

There are certain reasonable presumptions, like safety, that our society
affords us. Script kiddies violate those as do the slime-bags that argue for
their good. How much of our budgets have gone to protecting ourselve from
those rodents? How much revenue has been lost because of their activity?
They are the rats of the Internet and bring disease with them whereever they
go. Their population is growing to plague proportions and they are getting
bolder. It's long past time to poison the lot of them, including their
supporters.

Personally, I feel that the crud that writes and releases their code for
them should be lobotomized. Regardless of their disclaimers, they are NOT
doing a public good.

> From: up@3.am [mailto:up@3.am]
> Sent: Thursday, July 12, 2001 7:23 AM

> I can't help but believe that if even 20% of them
> were caught and had to spend just a little time (even hours) with the
> cops, and had their peecees confiscated, you'd not be seeing
> nearly the problems we are now.

This is the main point, a script-kiddie hunt, with prosecution, is the ONLY
real deterrent. Throw some of them in hotel greybar and remove them from
computing, for life, and we may see some of this turn around.

I am just concerned about our current legal systems being
able to handle such cases efficently. Well.. Perhaps I
should not use 'legal systems' and 'efficently' in the same
sentence, but you get the idea
Think SPAM here. It has been discussed in the past, and I
have a few users who have been victims of SPAM-zombies (or
the like). This is not too much different. I got abuse
reports from several different sources about SPAM
originating from a customer of ours who has been with us for
four years so I questioned stuff. Turns out they had a
similar zombie designed to SPAM. Their fault? No. Should
I have placed filters on their IP? Yes. It was a choice to
deny one person service till the problem was corrected for a
short time, or to have the rest of the internet community
suffer. Also- dealing with attackers from other countries
(and taking them to court) can be a serious and costly
issue.

If a lady wears skimpy clothing, does she deserve to get raped? Obviously,
not. If a computer has skimpy protection, does it deserve to be turned into
a zombie? Simply because you forget to lock your car one night (whilst in
your driveway), do you deserve to have it stolen? If you leave a $100 on
your kitchen table, in your unlocked house, whilst you are working in your
garage, do I have the right to sneak in the back door and take it while
avoiding prosecution, on the grounds that you were careless? WRT EFFnet,
does a prostitute deserve to be raped?

Agreed. They do not deserve it. However, by the time their
machine(s) are comprmised, the damage has been done.

There are certain reasonable presumptions, like safety, that our society
affords us. Script kiddies violate those as do the slime-bags that argue for
their good. How much of our budgets have gone to protecting ourselve from
those rodents? How much revenue has been lost because of their activity?
They are the rats of the Internet and bring disease with them whereever they
go. Their population is growing to plague proportions and they are getting
bolder. It's long past time to poison the lot of them, including their
supporters.

I wish I had the $$ to take them all to court (even some of
them in other countries).

Personally, I feel that the crud that writes and releases their code for
them should be lobotomized. Regardless of their disclaimers, they are NOT
doing a public good.

In a perfect world, we would not need
hardened-steel-reenforced safes for our money and 128-bit
SSL encryption to make online orders. All of our efforts
and attempts to bring order to a chaotic society will be
tested again and again by members of that society. So-
while I agree with your intentions- staying ahead of the
game is probably the most efficent way to 'win'. Hence
BugTraq and the like. Sure- posting code to bugtraq which
gives remote root access to 10% of DNS servers on the planet
also puts that code in the hands of individuals who do not
deserve it. However, and even better-yet, it puts it in the
hands of those who need it most.

By the way, for those who care, there are relatively easy ways to fight DoS attacks:
* use netflow and a bunch of scripts to detect them automatically
* use BGP to block them on all your border routers instantly, based on destination
* use BGP and Unicast RPF to block them on all your border routers instantly, based on source, if you really need to

With a combination of all that, you can automatically block any major attack at your border.

Is it scalable? Yes.

What about false alarms? We have implemented the detection bit.
With a bit of tuning, we get 0.1% of false alarms and yet catch an average of 15 attacks per day, above 500 pkts/s (up to 10000s pkts/s).
I wouldnt be surprised if Tier1 networks would catch much more attacks than that, with the same tool.

My point: block automatically 99% of the DoS attacks at the top 10 transit providers level, and we may see DoS attacks be a thing of the past.
"Kiddies only do it because they can".

DH.

>This is the main point, a script-kiddie hunt, with prosecution, is the ONLY
>real deterrent. Throw some of them in hotel greybar and remove them from
>computing, for life, and we may see some of this turn around.
>
>If a lady wears skimpy clothing, does she deserve to get raped? Obviously,
>not. If a computer has skimpy protection, does it deserve to be turned into
>a zombie? Simply because you forget to lock your car one night (whilst in
>your driveway), do you deserve to have it stolen? If you leave a $100 on
>your kitchen table, in your unlocked house, whilst you are working in your
>garage, do I have the right to sneak in the back door and take it while
>avoiding prosecution, on the grounds that you were careless? WRT EFFnet,
>does a prostitute deserve to be raped?

By the way, for those who care, there are relatively easy ways to fight DoS attacks:
* use netflow and a bunch of scripts to detect them automatically
* use BGP to block them on all your border routers instantly, based on destination
* use BGP and Unicast RPF to block them on all your border routers instantly, based on source, if you really need to

With a combination of all that, you can automatically block any major attack at your border.

Sorry- but after doing all of that, DDoS attacks still
saturate even the largest circuits- thus denying the
service.

Is it scalable? Yes.

Until the CPU overhead from netflow knocks out the
router(s) from a mass-attack.

One important notice - most of this kiddies are not from USA.

That's obviously a big issue, but not unaddressable...most countries have
laws against this sort of thing. At some point, somebody's going to deal
with an unresponsive government by blackholing entire regions...certain
APNIC blocks come to mind. Any network where DDoS perpetrators can
operate with impunity will eventually be considered too dangerous to NOT
blackhole.

We haven't arrived at that point yet because A) DDoS attacks haven't
gotten so out of hand that it's stopping big businesses in their tracks
continuously (but it may, soon) and B) At this point, NONE of the
governments (including the US) are sufficiently responsive to the point
where any particular region could be blackholed (but this will change as
point A changes) to any effect.

Speaking of DDOS attacks, there seems to be one going
on associated with the NANOG list. I was wondering if
anyone could offer insite.

At my work address, I have received the same email
from NANOG about every 10 - 15 minutes. I have
received hundreds of copies of this email. Yet at
this address I do not receive the repeated copies (and
no one else on the list appears to have complained).
If I look at the header of the email, the last hop, if
I am reading it correctly, is named
"zombie.la.interpacket.net" by
mrbig.la.interpacket.net. I have since unsubscribed
from NANOG from my work address yet still receive the
emails. Also, this has been going on for over a week
(since a rule filters all my nanog email into a
folder, it has not bothered me too much) - every few
days, the email that I am repeatedly hit with changes.
Currently, the email I am being hit with is "OT: The
End of Empire."

Below I have pasted the header of the email

I would be curious to hear people's thoughts about
this. Is this a type of a DDOS? Anyone familiar
with it?

-B

Received: from XXXX
  ([165.135.0.253])
  by XXXX; Thu, 12 Jul 2001 16:01:40 -0400
Received: by XXXX; id QAA14070; Thu, 12 Jul 2001
16:01:38 -0400 (EDT)
Received: from unknown(198.108.1.26) by XXXX via smap
(V5.5)
  id xmaa13982; Thu, 12 Jul 01 16:00:42 -0400
Received: by trapdoor.merit.edu (Postfix)
  id BB70F91231; Tue, 10 Jul 2001 14:35:31 -0400 (EDT)
Delivered-To: nanog-outgoing@trapdoor.merit.edu
Received: by trapdoor.merit.edu (Postfix, from userid
56)
  id 896EB91251; Tue, 10 Jul 2001 14:35:31 -0400 (EDT)
Delivered-To: nanog@trapdoor.merit.edu
Received: from segue.merit.edu (segue.merit.edu
[198.108.1.41])
  by trapdoor.merit.edu (Postfix) with ESMTP id
83A3791231
  for <nanog@trapdoor.merit.edu>; Tue, 10 Jul 2001
14:35:29 -0400 (EDT)
Received: by segue.merit.edu (Postfix)
  id 79E335DE1A; Tue, 10 Jul 2001 14:36:58 -0400 (EDT)
Delivered-To: nanog@merit.edu
Received: from bond.interpacket.net
(us-la-gate.interpacket.net [209.198.223.250])
  by segue.merit.edu (Postfix) with SMTP id ECF9A5DDD8
  for <nanog@merit.edu>; Tue, 10 Jul 2001 14:36:57
-0400 (EDT)
Received: (qmail 31855 invoked from network); 10 Jul
2001 18:35:43 -0000
Received: from mrbig.la.interpacket.net (192.168.6.5)
  by bond.la.interpacket.net with SMTP; 10 Jul 2001
18:35:42 -0000
Received: from [192.168.4.53]
(zombie.la.interpacket.net [192.168.4.53]) by
mrbig.la.interpacket.net with SMTP (Microsoft Exchange
Internet Mail Service Version 5.5.2653.13)
  id N6TNP8LB; Tue, 10 Jul 2001 11:39:32 -0700
Mime-Version: 1.0
X-Sender: mikey@popmail.la.interpacket.net
Message-Id: <a05010406b770fb74762d@[192.168.4.53]>

[deleted]

> One important notice - most of this kiddies are not from USA.

How exactly did you get to this conclusion ??

The smarter script kiddies can crack systems in a few countries and use a
few hops to get the place they installed the zombie master
for example:

<cracker> -> <Romania> -> <china> -> <Poland(DDoS master>

Good luck to you tracing the attack to the cracker

- Rafi

It is not perfect, but it does help.

Of course there are those who take the approach "it is not a perfect
solution so we will not bother filtering anything at all".

-Dan

> Sorry- but after doing all of that, DDoS attacks still
> saturate even the largest circuits- thus denying the
> service.

It is not perfect, but it does help.

Of course there are those who take the approach "it is not a perfect
solution so we will not bother filtering anything at all".

Well- I have a little experience with this, and from that
experience I have noticed that DDoS attacks can often
saturate the circuits to the point of BGP failure. Of
course- null-routing the target address does help with the
CPU overhead a little.. However the service is effectivly
shut off by that point anyway.

// First of all; please, I use word Russia only because it reflect a lot of other
countries such as east europe, Israel, latin america etc etc - which have edicated
people but have not this idiosyncrasy about the law and order... Don't write about
_terrignle russion hackers are damaged the whole word; I so such hackers in
american movies only...

First of all, people here (in USA) respect law, people in other countries does
not. How often you are driving 100Mph? (Sorry, you are in Italy? I suspect your
answer will be _yes, every day_. But if you was from USA, you (may be) never reach
this speed because you respect law...

For comparasion - in Russia (where there is a little of high quality roads) do it
every day - they drive as fast as they can, not as it is posted...if They never
are thinking about _the law_ - they are leaded by their own brains. So does the
kiddies.

But it's _common phylosophy_. On the other hand, I had a 2 years experience
working (part time, I was a head of NOC) as a RU-CERT expert, tracing hackers,
prosecuting them. We revealed 2 generation of our own _script kiddies_, traced a
lot of different IRC's, maintained a few honey spots, etc etc... results? We saw
a lot of different hackers, virtual or real ones, but we never saw any hacker
from USA.

After I come here and began to work here, I understood _why_ we saw so strange
picture... Kiddies here _have something to lost_ - they have their education,
their loans, their future plans. Kiddies in other countries have much more spare
time, have nothing to lost, are not obligated to buy software (any software is
FREE, do you know it? You don't think so? You can come to ANY computer market in
any country out of USA and west europe, and you'll find ANY software by the price
of 5$/600Mb... So, if some kiddy want to install MSVC, he need 1$ only - less than
his lunch).

I have not good statistic. Today, I saw a few articles about _honeyspots_ and
_honeynets_, and I suspect this guys can collect some useful statistic. My
impression was _guys in USA write something but does not use it for the wide
intrusion; kiddies in Russia, Israel, Korea etc use this software to collect
exploits, roots, accounts, credit cards over the world.... It is mostly games, but
sometimes it became dangerous.

IRC is another thing... It was, it is, it will be some kind of natural _honey pot_
for the hackers. So use it, don't fight it -:).

The main problem with this kiddies is not _law_. It is _communication between ISP_
and _their ability to trace something_.

In theory, any attack can be traced to it's origins. You need is a lot of time,
yoou need good IP accoounting, a few filters; then you need to find
zombied computers and install your own trojans to trace back hackers who use this
zombies. It is easy to do it in such ciountry as Russia - I always could call my
collegues from another ISP, ask them something, ask computer owner to allow me
installl my own software in his, zombied, system, etc etc. When this traces lead
us out to the Europe, everything became slower but _yet_ possible (it was 2 or 3
years ago). When traces came into the USA, you was sticked with 800-th phone,
_Enter your account number / all our representatives are busy / brainless support
engineers of the first level and unability to find someone skilled / privacy
concerns, etc etc...

I can get a very good example here. A lot of kiddies used 'ftp.technotronyc.com'
as a store for the trojan packets. If someone investigate logs of this ftp and
look _where /I mean IP addresses/ linux trojan kit 3 (for example)_ was
downloaded, he definetely had a chance to find approximately 100 - 200 zombied
systems over the world (because every time _this particular hackers_ broke into
some linux, they downloaded lrk3, sniffers and other toold directly from this ftp
server). If someone install his own trojan into the pre-build sniffers , they
could have a chance to receive a notificatuion about broken and sniffered systems
over the world. Etc etc. Guess, if we ever could find any person from
ftp.technotronic.com? of course, we could not...

Just the same thing was about Exodus and home pages hackers keep on it - no any
chance to been understood... We never asked to give us this information, we asked
only to collect it and investigate it (and we never dream FBI can participate and
help).

Talking about _law_. I know Russion law, it's not problem to prosecute a hacker if
you have an evidences. And you even don't need a lot of them. In my understanding,
it's more communication problem, not legislation one and not technical one...

Alex Roudnev.