North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Another DNS blacklist is taken down
On Mon, Sep 29, 2003 at 01:11:08PM -0400, Dan Armstrong wrote: > > Jared Mauch wrote: > > > On Mon, Sep 29, 2003 at 09:51:08AM -0700, Mike Batchelor wrote: > > > --On Wednesday, September 24, 2003 1:18 PM -0500 Justin Shore > > > <firstname.lastname@example.org> wrote: > > > >On Wed, 24 Sep 2003, Joel Perez wrote: > > > > > > > >>So back to my ACL's I go! > > > > > > > >This is one of the most likely things to happen. DNS RBLs are effective. > > > > Otherwise spammers wouldn't be targeting them for abuse. > > > > > > What evidence is there that spammers are the ones doing the DDoS? > > > > There is likely some conjecture here, but aside from the DNS RBLs > > that cause collateral damage (ie: blacklisting large chunks > > of address space to cause behaviour change) who has something to gain > > from these dnsbl's going down? > > Isn't that collateral damage issue enough to have angered hundreds of ISPs > & end users to the point of not necessarily organizing a DDoS, but ignoring > it? I think it is far _more_ likely that the DDoS came from the innocent > victims fighting back rather than the spammers. Presently I beg to differ. (I do encourage you to prove me wrong :) A lot of small-time people have created their own dnsbl's after MAPS(tm) closed down public access to their system, and there have been a lot of these smaller lists that could handle the query-load of people that wanted to use them without problems, but once they were hit with medium to large sized DoS attacks have decided that it's not worth the effort. I am waiting to see what happens if people move against those that are doing this as part of their business model, such as MAPS, spamcop, etc.. These people will be quite happy to call and get some of the law enforcement people to actually move as it does pose a legitimate threat to their entire cash flow and business model. They will also be able to easily go to the media instead of some small time people that run the list on machines in their basements or shared-colo environments. Their providers just don't want to deal with the headache, similar as to how some IRC networks have been fighting to stay alive as well. The problem here is end-to-end accountability. It all relates back to the constant issue of patching your systems and being a good net.citizen with your upstreams, peers, etc.. Security incidents continue to be on the rise and unless people start to actually do something about them (which I know is dificult due to financial constraints that we face in the US currently at least) and are responsive at all hours to them, things aren't going to get any better. We need the ability to trace back attacks over the course of an hour at most to be able to mitigate the risks that are posed, and filter out the true attacks from the "noise" that people generate who think because they're seeing p2p traffic to their machine they think they're being attacked.. I encourage people to start profiling their traffic. not by looking at netflow or other data, but by quite simple heuristics. Look at your typical bitrate, and pps rates that you see on your internal and external (peering, upstream, exchange-point) links. Watch for any abnormal events, large bursts in either bps or pps. Do this not only on your routers but on any layer-2 switches you may have as well and you may be able to find attacks on your network or attacks sourced from your network/customers that would have not been otherwise noted. If you can find these and isolate the compromised machines sooner rather than later you will be helping the entire internet as a whole. - Jared - Jared -- Jared Mauch | pgp key available via finger from email@example.com clue++; | http://puck.nether.net/~jared/ My statements are only mine.