North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Yahoo offline because of attack (was: Yahoo network outage)

  • From: Havard.Eidnes
  • Date: Wed Feb 09 06:10:21 2000

>  CERT suggests (http://www.cert.org/incident_notes/IN-99-07.html)
>
> Prevent installation of distributed attack tools on your systems
> Prevent origination of IP packets with spoofed source addresses
> Monitor your network for signatures of distributed attack tools

That sounds like good things to do.  Others have pointed to RFC 2267
which is somewhat the same.  However, it doesn't seem that we're
doing all that well on actually following up those suggestions?  As
if that isn't enough, may I also draw your collective attention to

   draft-ietf-grip-isp-expectations-03.txt

How are we collectively doing on following up on those points?

During this discussion I've seen some claim that the recent attacks
were not being carried out using spoofed source IP addresses.  That
may be so, but still is not a valid argument for not protecting the
network from source address spoofing and the effects thereof.

>  Should we as network operators be taking a pro-active role to
> police our users for DDOS running boxen?

Sounds like a good idea.  However, is it a sufficiently good idea so
that a sufficient number of people actually find the time to do
something about it?

> It seems to me that educating end-users is the problem here, just
> as educating people to use 'no ip directed-broadcast' was back in
> 1997.

Well, according to the list on

        http://www.powertech.no/smurf/

we're not done on that front by a long shot:

        114951 networks have been probed with the SAR
         19589 of them are currently broken
         14682 have been fixed after being listed here

May I suggest that we all get off our collective butts and do
something about these items?  Even by going so far as to proactively
probe our customer networks and/or extracting info from the list
available from the above site?

Or are we once again going to hear the knee-jerk and IMHO
irresponsible reaction from some ISPs (no, I don't have any
particular in mind -- you know who you are) that essentially says
"more packets on our networks means more business for us"?  Another
common claim seems to be "this is none of our business".  IMHO not a
very responsible reaction that either...


Best regards,

- Håvard