----- Original Message ----- From: "Gert-Jan Hagenaars" <blenderat_private> A slight change first : we do not mail the ISP, nor the admin. Upon the first warning in any IDS, we simply block the originating IP on router level. > This doesn't work on machines that connect via DHCP. Now it does, even though I am aware that more IP's will be added that "may be" innocent but perhaps we can add a time-frame for the duration of the filter. What it does is that in case we have a full cluster of machines running services over serveral blocks, we enormously limit these probes, since no machine in the IP block will see the traffic anymore. > The whole notion of using manhours to combat a DOS attack is an out of > date idea. Besides, you're turning the problem into a problem for > the ISPs. Which (essentially) means that you're turning the ISPs into > internet-cops. I respectfully disagree, most DOS attacks do not come from servers but from clients, clients of ISP's, who in turn leave it to the victim of the attack to deal with it. We are not turning ISP's into internet cops, but in all honesty: we are paying for their money-making, since it is their (un-informed/well informed) clients that do the probes, get infected and perform the DoS. I fail to see where they have no reponsibillitty for that. > I see four distinct problems with this approach: on one server we got > about 1200 distinct hits of code-red in 24 hours. > > (first problem) How many thousands of emails do I have to send in a > week to get through to the ISPs, and multiply the number of servers and probes and you will see that it is not "sensible" to send out those e-mails furthermore it is not we who connect the ISP anymore, once a "client" has done a scan of f.i. a full Block A, he will be filtered out on so many routers, he will start calling his ISP. > (second problem) who's going to handle all these requests in a timely > manner and > > (third problem) judge the validity of my claims? And, since the block is only put in place after the first recognition in IDS, validity is automatic > (fourth problem) who's going to pick up the bill for calling all these > customers? see above, the customer and the ISP > Consider the cost of a support call when a customer calls an ISP (CDN > 7 about four years ago (when I worked for an ISP), very likely higher > now), and that's when you don't have to spend time finding out which > number to call, nor having to find the right person at the other end of > the phone ("my son always takes care of this stuff, but I can't get to > yahoo and i'm paying you guys for my internet connection!") I considered, and came to the conclusion that i can not be bothered as much as they can not be bothered by my bandwidth bill after being DoS'd for 1-2 or more days on end and having to have to place filters on border-routers and making my servers unreachable for the entire world (NON-infectees, innocents, whatever). In all honesty, they charge their customers for letting them on the net, should we next be held responsible for their client's actions ? to me it makes sense that the polluter pays his dues. > If your proposed approach worked, we wouldn't have any SPAM either. > And that's an area where (most) ISPs _want_ to battle this. except when it comes to peering agreements, filtering sendmail etc, again, their action consists of threatening (or discontinuing service) to the host, not the culprit, eventhough he might be their customer! No blocks are placed anywhere, that is left to the client. > I think a passive inoculation (worm) that doesn't seek out victims, but > only counters infected systems (where the admins (if they exist) don't > care) is a far better approach. It's certainly more cost effective, > definitely quicker and obviously less prone to error. > > So... where's the linux version? Again I respectfuly disagree, it does not reduce my traffic, it does not reduce my cost, it more then likely doubles my cost, as the counter-worm is additional traffic. Besides the traffic costs, who is the maker of any counterstrike to decide that his/her patch is functional on my setup? What does he know that informs him of the measure of safety with which he can restart, or play with any of my services running on my servers ? none, henceforth it remains a nice thought but a bad idea. Retaliation is never the answer. regards abel wisman
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 10:17:23 PDT