On Tue, 15 Feb 2000, Marcus J. Ranum wrote: > Ryan Russell wrote: > >I expect to see ransom demands (either the real attackers or just > >opportunists) become announced to the press any time now. > > That'd be interesting because it'd clear up the issue of motivation!! > > I've always been bemused by the whole denial of service thing. It > seems so pointless. It's just vandalism; not even as cool as virus > writing, and virus writing is very uncool. > > If I was Bezos, I'd offer some amazon.com options for whoever > turned in the culprit and sufficient evidence. Then I'd litigate > the culprit back to the stone age, including his friends, parents, > business associates, school, etc. - anyone involved. Crush 'em > real hard, real mean, and real openly. I have kept my mouth shut about most of this yet now I feel like I have something to say. I do not think there should be any concern of the motives that drive these attacks, to me that point is rather obvious; their motives are to take their target offline and I don't think it is worth anyone's time to put anything more than that on the table. The media and buzzword-driven hype have turned a DoS attack into a hard-to-see uncontrollable mystical force and in reality DoS attacks are anything but. I feel the dent caused by many of these attacks could certainly be reduced with proper policy and I honestly I do not think that the sites under attack understand the dynamics involved in reducing the damage of a DoS (distributed or not). I have been operating a shell service for many years and over time I must have been hit with nearly every type of attack out there. I have developed a personal method of handling large attacks and I usually don't talk about it yet it does prove a point: I first identify what type of attack in coming in and what the targets of the attack are (host/service/user/..etc..). I then immediately drop and log all packets from attacking network(s) (to reduce load on attacked machines if it is a SYN attack, etc). [ granted it is not possible with some sorts of attacks to drop and log everything ] At this point there are several decisions I make: Is my network disrupted by this attack, and if so should I remove whatever it is that the attacker wants offline? If by removing the target will the attacker stop and if so will this keep my other services online? [ I have found by removing the target the attacker stops nearly immediately. ] You need to figure out who is actually doing the attack and notify their providers with a clean description of what actually took place. If the attack is too big to wait you get on the phone immediately and make it someone else's problem as well. If it is real bad you can even involve your upstream provider(s) and have them put filters in place on their end of the network. [ Large providers hate doing this, yet if you bark enough they will listen. ] When I think about it there is also an entire forensics process of figuring out who was/is doing the attack. I've found that before an attack begins the attacker usually does a port scan or some sort of survey of the services on the target system and usually the attacker does this from their own host and not another host. They figure you will never link the attack to a port scan or whatever the survey may be. . . I could write an entire book on this subject but my point is that I really don't think large corporations are equipped to handle nearly any type of DoS attack. They don't understand the dynamics of the attacks and they don't understand the methods of surviving an attack. Too bad it is not possible for providers to practice proper egress filter techniques, because after all that is what this is all about. :P I need a soda.. I can tell my hypoglycemia is kicking in :) Take care, -Barrett Barrett G. Lyon (NJS) Network Janitor Specialist Have fun: www.AlphaLinux.org [Q]: Hey, do they test this stuff before it's released? [A]: Sure they do... "It compiles, it's ready!"
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:23 PDT