Home page logo
/

nanog logo nanog mailing list archives

Re: Are we really this helpless? (Re: isprime DOS in progress)
From: Jack Bates <jbates () brightok net>
Date: Fri, 23 Jan 2009 23:34:36 -0600

David Conrad wrote:
Sad fact is that there are zillions of excuses. Unfortunately I suspect the only way we're going to make any progress on this will be for laws to be passed (or lawsuits to be filed) that impose a financial penalty on ISPs through which these attacks propagate.

Careful what you ask for. You might get it, and I'm sure the outcome wouldn't be liked by any. Forgery is bad, but I've seen plenty of DDoS without forgery that can do serious damage. Forgery just makes analysis and back tracking harder. Getting sued because you had some stealth botnet that suddenly fires up is not a good deal; and probably why ISP's still manage to hold onto some immunities. OT, though, I'm sure.

The last DoS with forgery that I asked a provider to backtrack, in the small hopes that it was a concentrated attack with forgery and not a forging botnet, was met with "flows? tracking? We can't see anything. We'll happily remove the block so you can see if it's still going on if you want."

Now I have fun trying to explain towards upstream management why a good security team and policy is important in anyone we purchase transit from. I think they understand it about as much as the transit providers did.

Even when tracked, it is rare that you can get enough interest, time or technical ability to backtrack to a controller. Gaining access to the infected machine and grabbing the bot code is even more rare. That being said, a lot of botnets are already monitored and watched. Unfortunately, there are legal issues when they cross international boundaries; just as there are with child exploitation sites which are hosted in places that are more accepting/tolerant of such things.


Jack


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]