DDOS attack proposal - Constructive suggestion

Linode could provide a reporting facility that would do two things show everyone when perceived attacks are happening. DDOS attacks look pretty much similar from my experience. They typically involve a port service other than http(s)

Ip addresses are loged on each Linode system. Why not create script detection based on attempts at DDOS updated monthly if possible. They would run on each client's server and report the IPs causing problems along with providing short log reports proving the attack took place. Now for each of these Ip addreses reported whois information could be compiled as well based on IP address detected.

The formated messages could then be transfered or tranmitted to a central Linode processing node that takes the bad IP address list and and null routes out each IP address while forwarding the abuse to to its apnic, ripe, arin lanic afnic based ISP source owner based on country codes babble or language translation engaged to help expedite such requests.

It seems to me a lot more could be done by all ISPs with the right approach. SSHD can be be shut out to remote IPs. Service ports with problems can be re-adjusted or even filtered

All Linodes reporting service need do is compile the bad IP addresses and perhaps verify the logs in sync with their own router logs. So long as the ips reported are done in a timely manner the process should be self validating

Hence linode abuse reports could be filtered for each owner based on IP range. Combinatorial login attacks etc.. could be easily enough detected.

As for other exploits. Start a database of exploits to log on each linode server.

Start with the basic ones.

As was stated before DDOS attacks don't end with with a downed server. They end with the owner of a source IP address being fined monetarily for not protecting their related system or network.

So as was specified earlier a 3rd grader would have to his parents who would answer to the ISP who pinned his dialup phon number or IP account and his parents would be required to

pay a huge fine which would probably make his friends think twice about repeating the activity. If the IP source IP address is determined to be a pawn address the ISP in the meantime would have to disable that IP until the zombie Trojan is removed and veriifed. That is the way it should work in a perfect world anyway.

Linode could control its side by automatically doing the reporting

no such user or invalid password messages from 20 attempts to login strongly indicate attempts at break-ins as do 20 different users from the same IP address in less than 5 minutes time.

Since Obama has plans for a Cyber Czar - I think we should all let him know we want more accountability in the ownership of IP addresses as it should be. Perhaps if there were greater IP owner accountability DDOS attacks would be a thing of the past.

what do you think of that idea?

33 Replies

I can't attack the rest, but:
@rss245x:

Since Obama has plans for a Cyber Czar - I think we should all let him know we want more accountability in the ownership of IP addresses as it should be. Perhaps if there were greater IP owner accountability DDOS attacks would be a thing of the past.
As much as I love where I live, we in the United States do not run the Internet. There are numerous examples where we think we do, and requiring accountability for IP addresses is something that would require international involvement. Whatever Obama does.

The colossal problem with greater accountability for IPs is this one:

Machines performing DoS attacks and vulnerability scans are never owned by the perpetrator behind them.

Most botnets I've seen are exploited Cisco routers in high-bandwidth positions. There is no way to trace who is performing a DDoS, as someone operating a DDoS is not sitting on his personal machine sending traffic to the victim himself. He's not that stupid.

Even if you did get the level of accountability you want, the vast majority of compromised machines are in underdeveloped nations without high-tech infrastructure. Asking governments of those countries to produce records for an IP is an exercise in futility. DDoS attacks originating in the United States typically lead to a conviction; this is why you never hear of any.

We can dream, but this isn't likely to happen.

@jed:

Machines performing DoS attacks and vulnerability scans are never owned by the perpetrator behind them.

That's not always the case, here is one example:

http://revision3.com/blog/2008/05/29/in … revision3/">http://revision3.com/blog/2008/05/29/inside-the-attack-that-crippled-revision3/

Instead of just fining the attacker I would fine the patsy as well. If you can not police your system properly there is something wrong either with your ISP or with yourself. That may seem harsh but so is ruining lives and wasting people's time , money and resources. The time has come to bring real order to the internet. Spyware of any kind should be licensed included the legalized doubleclick and whatnot out there.

If my machine was taken over by a virus or netbot I sure as hell would rather be notified about it than let it lay in wait. If I have to protect my network as an ISP more so be it. The kind of nonsense that goes on today should not and the sooner it ends the better.

Patsies or zombie machines are part of the threat and so must be dealt with first. If you let the zombie population grow it only gets worse which it is clearly doing.

Like it or not all of us have responsibilities to keep the internet safe

report phishing attacks to the spam@uce.gov

The more we do individually the better environment the internet will be. If we slack off at this rate we will all need 100 gigabyte networks and an extra multiprocessor to deal with all the abuses we allow to continue at great cost.

Let me but it another way if someone without your knowledge takes your car out for a joy ride kills someone while drunk in a hit and run and runs up $500 in parking tickets what happens to the car owner?

They get fined and held responsible for the tickets and unless they are in a coma or out of the country they are legally liable and probably would be thrown in jail.

Now given this growing threat out there. maybe a government website that installs an active -x or java com on all hosts that have been identified as potential zombies may be in order where by it could access where the originating attacks are coming from by IP and date/time of an infection assuming the earliest one in the logs is the original attacker or assuming the data goes to network of computers. trace each packet far enough back and you should be able to narrow down if not catch the culprit responsible for such an attack.

In the meantime image eliminating all the zombies shrinking the attack pool and making all the people asleep at the wheel more diligent and aware. Fines do that. Abuse notices to ISP Nocs do that. Smarter firewalls that see sessions repeatedly seeking to login could do that.

I have seen attackers in Iran stopped by notifying the owners of an IP address.

I doubt I am the only one fighting out there and I can tell you the hackers are representative of terrorists who blow people up.

Do you think it a coincidence that 9/11 happened during a peak in internet usage? No and I can assure you if we take hacking more serious just like the Mayor of New York who stopped illegal gun sales and spitting on the street and drove the crime rate of New York City to its lowest level. Again Not a coincidence.

You are right the USA does not own the Internet. Started it but does not own it.

It does influence it greatly. If we build higher speed networks so our backbones are OC MAX and we keep diligence over our part of the Internet why wouldn't the world want that too.

I am upset by the lack of care shown today. The internet was once clean and efficient. Now that claim can no longer be made

I for one want to see that turned around starting with ISP responsibility for only the IPs they own. It is certainly doable

ISPs know who and when they allocate IPs. They can warn customers of perceived threats . ISPs could threaten to shut down service until an infestation of virus , worm or Trojan has been resolved. Like I said before the more this is law the better the odds of success. If you knew you would be fined by your ISP by US law for the crime of network abuse patsy if after being notified your system was still infected with no change given 48hrs time, well I imagine a huge diligence effort would be made to perform security updates, run anti virus and firewall and spybot software by a much greater portion of the public internet users and so again the Zombie patsys would be much fewer in the united states

To protect the US networks from foreign attacks US firewalls would

null route block any Ips involved in abuse activities and so at the cost of some ip by ip lockouts the American Internet would remain clear of network abuses.

I can tell you from experience something has to be done. years ago the attacks were fare lesser. The number of attacks and variety have skyrocketed since 1994

You should forward any suspicious emails like:

bank emails claiming your account has a problem without providing any account information in the process and a form to fill out

requesting account information.

These are almost definitely phishing attempts

By forwarding the email you keep the original RFC mail headers in tact.

We can also all set up proper SPF DNS TXT records to avoid email from address forgery

All of this would greatly help clean up the internet

rss245x:

Your suggestions seem to ignore the cost/benefit analysis that any business must do if it wants to remain in business. Your suggestion is complicated (that means it will take a long time to build, and time means money), and, the efficacy is far from guaranteed.

The bottom line is that granular mitigation of DDoS attacks is impractical. Your proposals strike me as a lot of work for little benefit, and, I for one would not want the cost of my Linode to reflect your quixotic crusade.

So far as I can tell Linode's approach to this problem (reactive and reasonable) has been an excellent optimization. I don't really see a sensible return from any of the things you have proposed.

That's just my opinion, but I have a lot of experience in this area and think it reflects that and good reasoning.

````
Your post advocates a

(x) technical ( ) legislative ( ) market-based (x) vigilante

approach to fighting DDOS attacks. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Script kiddies can easily use it to harvest vulnerable machines
(x) Slashdottings and other legitimate internet uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop DDOSes for two weeks and then we'll be stuck with it
( ) Users will not put up with it
(x) ISPs will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from DDOSers
(x) Requires immediate total cooperation from everybody at once
( ) Many network users cannot afford to lose business or alienate potential employers
(x) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for the Internet
(x) Compromised hosts in foreign countries
( ) Ease of searching the tiny address space of all IP addresses
(x) Asshats
(x) Jurisdictional problems
(x) Unpopularity of weird new taxes
(x) Apathy on the part of other ISPs
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in IPv4
(x) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of botnets
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Dishonesty on the part of DDOSers themselves
(x) Forged IP source addresses
(x) Unreliability of WHOIS information
(x) Bandwidth costs that are unaffected by client filtering
(x) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) IP headers should not be the subject of legislation
(x) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about jed's mom without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending packets should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) I don't want the government reading my packets
(x) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

````

(x) Slashdottings and other legitimate internet uses would be affected

(x) It will stop DDOSes for two weeks and then we'll be stuck with it

(x) ISPs will not put up with it

They will if they lose money from governemnt enforced fines.

(x) Requires immediate total cooperation from everybody at once

Yes as the polar ice caps melt because of similar inability

(x) Anyone could anonymously destroy anyone else's career or business

That is already possible and we have seen it first hand - but remember this if the rules I recommended were implemented these attacks would essentially be stopped if not limited a lot.

(x) Lack of centrally controlling authority for the Internet

Not true Arin.net, Ripe.Net, Apnic.net and Afnic.net and Latnic.net

all allocate specific IP address space. It is fully organized and the owners are registered.

(x) Compromised hosts in foreign countries

Again it must start somewhere for it to succeed just because no one went to the moon does not mean they should not try first. Your argument makes no sense to me.

(x) Asshats - Huh??? what is that?

(x) Jurisdictional problems

Not true - Arins allocates IP addresses - Federal government of the US extends to all US territories. Canada and Mexico would comply with the US policy so long as it is in their interests and if the US sees a fall on domestic attacks from US based IP address space the world will soon follow upon the USA's success.

NO JURISDICTION problems then!

(x) Unpopularity of weird new taxes

Not a tax - Its a fine - There is a huge difference and it would allow a grace period upon reporting abuses. Its only if those abuses go ignored.

(x) Apathy on the part of other ISPs

Arins and the IP providers will just yank their routing if they don't pay their fines. No Ip routing no internet service - End of story

(x) Willingness of users to install OS patches received by emai

Not going to happen because the abuse email will specify a specific

web site in clear text not a url a href tag link and it will be

.US site. - No problem there

(x) Armies of worm riddled broadband-connected Windows boxes

Just numbers - More Ips already making trouble need to be fixed

(x) Eternal arms race involved in all filtering approaches

Huh?? A nuke does not effect this approach no twisting any country's arm just a policy that makes sense

(x) Extreme profitability of botnets

That is the biggest problem isn't it. All those Internet security companies would have to look for revenue elsewhere. No because

the threat of basic hacking always exists as well from viruses etc..

independent of IP address.

(x) Forged IP source addresses

Spoofed IP addresses I am told are a thing of the past now partly because of dhcp but also because each ISP checks for such spoofing at their firewall so at least their IPs can not be forged. To forge an IP means forging IP routing and correct me if I am wrong here but that would be a very hard thing to do if not impossible because the true routing would win out on the return IP packet so the packet would never reach the hacker unless they selected the IP along the same exact route. Again really hard to do

(x) Unreliability of WHOIS information

That could be changed by more diligence by the IP providers.

(x) Bandwidth costs that are unaffected by client filtering

Huh??

(x) Outlook

Replace the email client : Eudora, theBat, Webmail or just deal more aggressively with email viruses and Trojans than is done now.

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

That is a catch 22 to be sure because doing nothing which is what I see happening just makes the problem worse

This idea is based on concrete controlable easy to implement concept of responsibly for your IP. Are their holes Oh yeah but

the concept does two major things:

(1) Reduces the overall threat by effectively limiting the zombie pool

(2) Forces all Netizens to care and take greater responsibility

(3) Makes people aware that their is recourse when they are getting attacked by hacking , viruses and trojans

(4) Providing a system that should if implemented better patrol and better control network threats and frankly it should be attempted because there is nothing better being done now and things have become much worse from inaction.

(x) Blacklists suck

No blacklist - Just responsibility. I know all about blacklists Time Warner puts its customers on 2 blacklists on purpose.

(x) Why should we have to trust you and your servers?

You already trust bind don't you ? Its as simple as that

Bind uses root DNS servers - Can't escape that can you?

(x) Feel-good measures do nothing to solve the problem

Not a feel good measure - Just hard crisp facts

IP addresses are basically fact - Spoof or forge an Ip address

not very practical or possible!

(x) Killing them that way is not slow and painful enough

I feel that way much of the time regarding the source attackers.

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.

Why specifically do you think it would not work?

The rare and slim ability to forge source IP addresses?

While an idea is not full proof that does not mean its not effective.

Know the difference. It would be a lot better than doing noting

killing bugs with insect spraying does not solve the bug problem and environmentalists etc.. say it is a bad thing but it soes reduce

the potential for disease many times its been done. Full proof no

but effective yes!

I certainly have felt the following from the attacks I suffered:

( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

The .US sites mentioned above . I meant to say .gov site

and not .US. Anyone can get a .US site only the US government can run a .gov site.

Again IP forging is not very practical and not very effective.

"Spoofed IP addresses I am told are a thing of the past now partly because of dhcp"

I was actually reading up until that point…

I'm not going to address the idiocy behind the rest of your logic but as for this:

@rss245x:

(x) Forged IP source addresses

Spoofed IP addresses I am told are a thing of the past now partly because of dhcp but also because each ISP checks for such spoofing at their firewall so at least their IPs can not be forged. To forge an IP means forging IP routing and correct me if I am wrong here but that would be a very hard thing to do if not impossible because the true routing would win out on the return IP packet so the packet would never reach the hacker unless they selected the IP along the same exact route. Again really hard to do

DHCP does nothing to stop IP spoofing. In fact, most of the internet doesn't use DHCP for many reasons. Even in your home network you are able to assign an IP that is in use by a DHCP client.

As for filtering, very few ISPs do any egress filtering based on source address. Spammers have been using this tactic for a long time.

What about the stolen IP space? There are many blocks that don't officially exist that are still in use and several have been sold to legitimate companies.

You really expect a fine to make a difference? It is illegal in many countries to send spam but spam still accounts for an average of 93% of all email. This isn't an administrative problem it is an end-user problem.

reduction of zombies alone is a goal worth achiving does anyone deny that.

Just how easy is it to forge an IP address. I have found that I can not just use an IP address I create with my ISP. I would not work because as part of the DHCP process they check and rout so at least retail ISPs like Time Warner do something about this or so I have gathered. DHCP was done again correct me if I am wrong to control you ISP space and avoid duplicate IPs or am I missing something here?

I also imagine that if everyone does their dudilligence and based on IP address since frankly that is all we have to go on every IP steps up and is responsible for the abuses traced log for log we would have less zombies for sure. Why is is it that so undesirable for eveyone to pitch in.

The same statements made here can be said of littering. I do not see as much garbage on my sidewalks in NYC. Why is that? Laws against littering. There are no IP addresses but if someone is caught dropping a piece of paper they fail to pick up they are fined.

It just seems to me that its a good start and given logging of traffic

zombie traffic is pretty much on radar at least so it is verifyable to be sure.

Its interesting how everyone fights the most common sense approach to ending all this nonsense. Its almost like they want it. It makes money for them. Why else be so unwilling to do what ISPs today are actually starting to do world wide.

Like I said before. logged attacks are being stopped by many places I know I have seen it. So whether you like it or not guys

ISPs are stepping up at least non-American ones anyway. Maybe the Europeans and Asians have realized this and are making a difference in their own countries networks while us stupid Americans are so lazy and unwilling to do the right thing and let it fall on others to do it for us that we just wait until it truly becomes a problem.

Just look how we handled our banks recently!!!

Say what you like but if all the zombie machines were instantly gone how many of thes attacks would we see? Ask yourself that.

And others are right . Suppose viruses continue to infect machines right and left. At least if someone caught it earlier less other machines might get infacted.

I have a horrible suspicion that none of this is being done so security software companies can do big business if so that is rotten reasoning because these companies could do far more productive things like build a new moon base and launch interstellar space ships rather than deal with internet security issues. Much more constructive operations from my perspective.

I have heard the nay sayers out there a lot. At least people have come up with SPF TXT records and the like to avoid email spoofing and that works. Does everyone do it? No but they should

Somethings just make sense:

Do not litter

Do not promote Network abuses by not security patching your systems.

Do not hack other computers you don't own or have permision to hack by their owners

These are all good rules no?

I have truly come to belive a simple IP reporting and responsible ISP operations lead to a safer network. Does anyone disagree with that?

If so why fight it? WHy just put it down. Granted IP forgery is a big hole but very hard to do isn't it? How easy would it be to forge an IP address ? If it was so easy then why not forge the IP address for Bind's root server? and the control everyone's IP address? WHy hasn't that happened yet if its so darn easy to forge IP addresses?

@rss245x:

Just how easy is it to forge an IP address. I have found that I can not just use an IP address I create with my ISP. I would not work because as part of the DHCP process they check and rout so at least retail ISPs like Time Warner do something about this or so I have gathered. DHCP was done again correct me if I am wrong to control you ISP space and avoid duplicate IPs or am I missing something here?

Read ~~[http://en.wikipedia.org/wiki/DynamicHostConfigurationProtocol" target="blank">](http://en.wikipedia.org/wiki/Dynamic_Ho … n_Protocol">http://en.wikipedia.org/wiki/DynamicHostConfiguration_Protocol]( and then see if your statement makes sense. You may want to study up on all the concepts and technologies you make claims about to further avoid any displays of ignorance.

Let me first say Spamming is with us. I would be happy to see

forged spam stamped out at least. No one wants their good name trashed that way. That is possible through DNS SPF TXT records for a domain.

Now regarding the IP address abuses those are fully trackable

The IP address is known and in the logs Why not use that.

What is egress Filtering. I am not suggesting that needs to be done. Someone misread what I suggested.

Imagine on everyone's server box a simple cron job that goes off every 30minutes greps a security log file and pulls a list of IPs and log entries with those IPs

Sends them to central processing ISP hub server that merely

takes the unique list of IP addresses does a

WHois

sends an abuse email to a designated abuse email

based on country does a babel like machine language translation on the letter

and for each troublesome IP sends a letter indicated abuse attack . the time zone of the logging server and actual whois record showing IP ownership

What is so bad about that. Its certainly not egress filtering because these abuses are logged. Leave it to each ISP to handle their own network abuses.

YAAKOV How does that translate to such a bad thing to do?

Its simple not complicated at all.

This has nothing to do with spam just to be clear. That gets handled differently.

spam@uce.gov is said to already handle spam complaints and unlike the badly run FBI they don't make you document what you send them which is idiotic and inneficient. Nobody uses the FBI for much . I wish I could with hold tax dollars from The FBI given their poor handling of the internet today and bad treatment of US citizens. The worst Government organization in the US Government today! Virtually useless and extremely rude and they never return calls or emails.

I still firmly belive in the approach I suggested. Like I said before that same approach appears to be working outside the USA. Why do you think the USA has been attacked so much recently and it has. Lookup dingsy@cndata.com

A ridiculous number of abuse hits on the search engines tells you this ISP is one of the worst in China. Now imagine how many fewer attacks if they acted to elliminate all these abuses

stopped or notified the owners of all the zombies so they could improve network conditions.

Or even verizon which also has a don't care attitude about abuse.

Most ISPs I have dealt with do care and want do what they can which is why they provide abuse@ emails.

Feel free to dissagree here but remember change is inevitable my plan or someone else's I don't care . Zombie machines must be fixed or removed ultimately because as time goes on the problem only gets worse!

@rss245x:

Let me first say Spamming is with us. I would be happy to see forged spam stamped out at least. No one wants their good name trashed that way. That is possible through DNS SPF TXT records for a domain.
SPF does nothing to stop spam because it is a flawed technology that fails to account for many things. It also requires that everyone configure it and there are too many ignorant or arrogant people that will not do it.

@rss245x:

Now regarding the IP address abuses those are fully trackable The IP address is known and in the logs Why not use that.
An IP can be spoofed. Recent attacks against several large DNS servers prove that source address spoofing is very easy. Most DDoS attacks involved spoofed addreses with no actual origin defined. It takes a lot of time, energy, money and cooperation to track down the sources and the attack has typically stopped before then.

@rss245x:

What is egress Filtering. I am not suggesting that needs to be done. Someone misread what I suggested.
You said "because each ISP checks for such spoofing at their firewall so at least their IPs can not be forged". That is the exact definition of egress filtering.

@rss245x:

Imagine on everyone's server box a simple cron job that goes off every 30minutes greps a security log file and pulls a list of IPs and log entries with those IPs
Many of my servers generate multiple gigs per day of access logs. Are you really suggesting that I devote precious resources to processing a log file many times a day? That costs me a lot more money than properly securing my server and just dropping the attacks.

@rss245x:

Sends them to central processing ISP hub server that merely takes the unique list of IP addresses does a

WHois sends an abuse email to a designated abuse email

based on country does a babel like machine language translation on the letter and for each troublesome IP sends a letter indicated abuse attack . the time zone of the logging server and actual whois record showing IP ownership
Again, IP's are typically spoofed in a DoS situation. In the event of an SSH attack they are legit but are compromised boxes. Who pays for the centralized ISP hub? That's a lot of processing power and bandwidth to burn with a large bill at the end of the month. This will also increase load on the whois servers to an unmanageable level. Who pays for the extra capacity and bandwidth at the ISP server level?

Oh, and automatic translation software sucks and for technical data it is even worse.

@rss245x:

What is so bad about that. Its certainly not egress filtering because these abuses are logged. Leave it to each ISP to handle their own network abuses.
Seriously, try doing a google search for "egress filtering" before you try to make a statement about what it is or isn't because what you just said doesn't even make sense.

@rss245x:

spam@uce.gov is said to already handle spam complaints and unlike the badly run FBI they don't make you document what you send them which is idiotic and inneficient.
UCE.gov has successfully prosecuted a total of ZERO spammers. The FBI has successfully prosecuted domestic spammers. Not that it matters though since this is the Internet and the US has zero jurisdiction over it.

@rss245x:

Nobody uses the FBI for much . I wish I could with hold tax dollars from The FBI given their poor handling of the internet today and bad treatment of US citizens. The worst Government organization in the US Government today! Virtually useless and extremely rude and they never return calls or emails.
You are entitled to your opinion. I can't blame them for not returning your calls though. I, however, have had no problems getting help from the FBI when I needed it.

@rss245x:

Feel free to dissagree here but remember change is inevitable my plan or someone else's I don't care . Zombie machines must be fixed or removed ultimately because as time goes on the problem only gets worse!
Why are you making it the problem of the responsible people? Zombie machines are the fault of end-users not knowing what they are doing. Why should I have to pay for their mistakes? It's hard enough to keep a successful business running without being forced to pay the bill for others.

There is at least one and probably many more the uce has prosecuted:

See the following URL:

http://www.dailytech.com/article.aspx?newsid=5782

Also What IP spoofing of DNS servers is everyone taking about becuase had someone spoofed the root bind DNS servers I think the internet would be royally screwed up. What prevents that? Does anyone have that answer? If its so darn easy to forge IP addresses why hasn't the root DNS server been so forged?

I asked my ISP recently regarding something SelfishMan said that

im a DHCP connection you can assign the PC another IP address.

I was in fact told no you can not so maybe its just Time Warner but they claim to be immune to the 2 sited wikipedia DHCP vulnerabilities listed and that DHCP messages can not be sent by outside sources upon their network. They claim they block such non RR DHCP traffic

I think it is ridiculous to think that a secure file log can not be processed simply and quickly incurring a minor processing cpu time to do it and generate a unique list of IPs involved with hacking attempts. I know I have done the work. The each 30minutes or hour or even 2 hours seems a reasonable enough price to pay for diligence. Again over time processing could be weaned assuming no abuses happen

I want to go back to my littering Why bother to throw a paper into the garbage why recycle why not just drop all your old papers on the floor and never clean up? After all its okay to do that with IP based hacking right? Isn't it the same thing?

You are right eventually the number of zombie machines will grow because of apathy and then your processing will include log files that fill up your disk space instead. Not costly right?

Imagine 100 million zombies hitting away on your server. How bad will it have to get before you want to do something about it.

Even IPTables can not handle all the problems from this:

e.g

Decreased bandwidth

Higher probability of workstation infiltration

Lower productivity in the workplace - do to more antivirus scans

etc..

More security updates

Lower confidence of security

–-

That will be our future if nothing is done.

I don't believe my solution would be that costly either.

Obviously I have my critics out there.

@rss245x:

There is at least one and probably many more the uce has prosecuted:

See the following URL:

http://www.dailytech.com/article.aspx?newsid=5782

Also What IP spoofing of DNS servers is everyone taking about becuase had someone spoofed the root bind DNS servers I think the internet would be royally screwed up. What prevents that? Does anyone have that answer? If its so darn easy to forge IP addresses why hasn't the root DNS server been so forged?

Your knowledge of the subject matter makes it impossible to have a practical conversation. With that said, I believe the NANOG and SPAM-L mailing lists would like what you have to say. These matters have been of great concern on both lists and they would value any additional insight.

@rss245x:

I asked my ISP recently regarding something SelfishMan said that

im a DHCP connection you can assign the PC another IP address.

I was in fact told no you can not so maybe its just Time Warner but they claim to be immune to the 2 sited wikipedia DHCP vulnerabilities listed and that DHCP messages can not be sent by outside sources upon their network. They claim they block such non RR DHCP traffic

You're not using a "DHCP connection"; you're using a DOCSIS network that presents an Ethernet-compatible interface to your equipment. You probably won't have too much luck spoofing IP addresses there, nor will throwing up a rogue DHCP server do anything productive. (Same with your Linode, although the underlying implementation is different.)

@rss245x:

I think it is ridiculous to think that a secure file log can not be processed simply and quickly incurring a minor processing cpu time to do it and generate a unique list of IPs involved with hacking attempts. I know I have done the work. The each 30minutes or hour or even 2 hours seems a reasonable enough price to pay for diligence. Again over time processing could be weaned assuming no abuses happen

I regret to inform you that it already exists in a couple different forms.

So wait, which part of your solution isn't either 1) already implemented or 2) impossible to implement?

I found a lot of foreign ISPs in Turkey, Iran and Korea very caring and after sending them a machine translated email with my timezone, the offending IP address and logs containing that IP I was told the problem had been handled. and I saw that IP address stop attacking me. I even had a day with no attacks.

You are wrong about ISPs not wanting to stop the abuses. Like I said before why do they have abuse@ email addresses

Why do they have listed abuse email addresses. I will tell you. It is so they can disable or notify their customers their systems have been compromised.

What do these ISPs gain? respect of their network for one not to mention cleaner band width and of course less abuse emails.

American ISPs like Verizon show the same American ignorance and stupidity we have all come to expect from American companies

short sighted lazy thinking! Does Verizon take care of its problems? not right away if at all.

Just a point in fact. ISPs who run abuse free networks gain greater respect and better operations fro increased bandwidth from less abuse shenanigans !

Consider that!

@rss245x:

I found a lot of foreign ISPs in Turkey, Iran and Korea very caring and after sending them a machine translated email with my timezone, the offending IP address and logs containing that IP I was told the problem had been handled. and I saw that IP address stop attacking me. I even had a day with no attacks.

Or the bot machine attacking you was turned off by the owner, not the ISP, or the master dropped that connection cause it was causing too much noise. You can't confirm that the ISP actually handled the issue. You just have to believe them.

sidenote: when dealing with foreign abuse notifications, use GMT time, it makes everything faster.

> You are wrong about ISPs not wanting to stop the abuses. Like I said before why do they have abuse@ email addresses

Why do they have listed abuse email addresses. I will tell you. It is so they can disable or notify their customers their systems have been compromised.
Liability and not much else.

> What do these ISPs gain? respect of their network for one not to mention cleaner band width and of course less abuse emails.

Respect from what and to whom? The customers? They can null route traffic (like AT&T did with 4chan recently) and never even notify the customer, or with any abuse notifications.

> American ISPs like Verizon show the same American ignorance and stupidity we have all come to expect from American companies

short sighted lazy thinking! Does Verizon take care of its problems? not right away if at all.

Because the vast majority of their money isn't made from customer ISP connections. They make the most money in cell networks, and government ISP contracts. Customers are always last.

@rss245x:

Also What IP spoofing of DNS servers is everyone taking about becuase had someone spoofed the root bind DNS servers I think the internet would be royally screwed up. What prevents that? Does anyone have that answer? If its so darn easy to forge IP addresses why hasn't the root DNS server been so forged?

static routing and authoritative DNS.

@AVonGauss:

@jed:

Machines performing DoS attacks and vulnerability scans are never owned by the perpetrator behind them.

That's not always the case, here is one example:

http://revision3.com/blog/2008/05/29/in … revision3/">http://revision3.com/blog/2008/05/29/inside-the-attack-that-crippled-revision3/

That was actually a sorta-accident in which one company (MediaDefender) was exploiting a vulnerability in Rev3 bittorrent tracker by forcing to host non-Rev3 content. When Rev3 patched the hole, the MD servers attempted to reconnect the non-Rev3 content and inadvertently DoS'd the Rev3 servers. This was not a targeted DoS attack.

@rss245x:

Since Obama has plans for a Cyber Czar - I think we should all let him know we want more accountability in the ownership of IP addresses as it should be. Perhaps if there were greater IP owner accountability DDOS attacks would be a thing of the past.

An IP address does not resolve to a person. It resolves to an ISP, which then the ISP can resolve it to an account and the account may have current information about the person that was assigned the IP originally.

Think of this way, although a US license has your address on it and you are "legally" required to change it in X days of moving. If a warrant is put out for you arrest based on current data, but within the X days of you moving. They kick in your door and no one is home. Needless to say, you probably aren't going to be updating your address soon.

It is much the same with IP addresses. If you move your laptop around in one city, you'll pick up a bunch of IPs that all can resolve to this particular city, but if you constantly hop between multiple connections, each IP owned by a different ISP, no one would be able to determine who has been connecting to each ISP because the account holder is not the one connecting.

Forging IP headers is the same thing just in a more larger scale. It doesn't matter that information is able to transmit back to the sending host. Just that the packet gets to it's destination can causes a clog when the target attempts to connect back to the forged IP and the true IP says that it never attempted to make that connection and drops it. Wasting CPU cycles on the target host. Enough connections bogs the CPU down and can no longer answer legitimate requests made to the server.

So more accountability, sure, but not for this stuff. More net neutrality, please.

I still maintain despite the nay sayers that IP accountability, though imperfect is a start to stopping the horde of zombie machines.

So what would be so terrible if everyone who owned a computer hooked up to the internet showed responsibility. Thus far murderers at least do not seem to be able to stay anonymous on the web as the newspapers have shown so it it seems to me IP accountability could work. There may be some phony ones out there but if Hotels in Europe can track their customers coming and going I would bet automated ISPs could manage it as well.

There is no better way to track things than ISP because its basic to the TCP/IP protocol. You do not get on the internet without access to a rout able IP and the ISP who routes it is liable. Now break ins can be hacked I suppose but duplicates are typically determined in a good network. Still its sad to think most of the netizens out there would prefer to fight it out rather than find a systematic solution.

Everyone makes good arguments regarding not holding IP users accountable but I fear things will only get worse if nothing is done about it

I think the biggest problem is that unless you get consistent ingress filtering (and thus buy-in) from all possible ISPs, and depending on the type of attack, you can never be absolutely sure that the traffic you backtrack to an ISP really originated there.

In the US at least, I expect many (most?) ISPs are doing ingress filtering at this point. It was certainly happening years ago when I was more involved. Catching forged addresses at the point they enter the network is a great way to at least have some trust when tracing an IP address back. That is, an ISP will block traffic from its customers unless the traffic is originating from an address block the ISP owns and/or has assigned to that customer (depending on how fine grained they do it).

It can't always stop a person from forging an address within the block that their connection might share with topologically close customers, but tracing things back would still end up at the right ISP and real-world detective work could proceed from there.

While I haven't experimented recently, it wouldn't surprise me if my home broadband connection was filtered so that it would drop any traffic that didn't have the exact source address that I had been assigned by my broadband modem. The modem itself has all the information it needs to do the work, and is an efficient place to do the filtering, though an argument could be made to do it one hop upstream to protect against someone breaking into the modem.

But - and it's a huge but - as long as there is one ISP out in the world somewhere that doesn't do this, then customers of that ISP can forge any address they like. Some of this may be clamped down if an upstream ISP or major exchange point does additional filtering, but the further away from ingress you get, the wider open the filters have to be due to the valid addresses that may be expected to be seen at that level of the network hierarchy.

Now, those forgers may not be able to maintain bi-directional traffic flow, since return traffic won't route back to them, but they can certainly mount denial of service attacks such as a SYN flood, or overloading a UDP based service. In such a case, backtracking the IP address from such an attack will lead to entirely the wrong place. If you can get coordinated tracing of the stream as its occurring you'll have more luck moving in the right direction, but that's a lot of coordination.

On the brighter side, if you're seeing IP addresses higher up the stack such as in a TCP-based application log, that implies the handshake completed, which is a bi-directional connection, so I actually think the odds are decent nowadays that back-tracking will get you to the right ISP. Of course, that can still be a far cry from getting the problem pursued back to a specific individual depending on where the trace led.

It's just a tough problem - particularly because not all the parties that need to work together to help ensure that an address is viably traceable have the necessary incentives to do so. The very decentralized and fragmented structure of the network that helps it operate as well as it does works against you in this problem space. And even when technical improvements are possible, some of the problem becomes less technical than real world political.

– David

@jed:

I can't attack the rest, but:

Machines performing DoS attacks and vulnerability scans are never owned by the perpetrator behind them.

Yep…I definitely agree on that one.

@jed:

Most botnets I've seen are exploited Cisco routers in high-bandwidth positions. There is no way to trace who is performing a DDoS, as someone operating a DDoS is not sitting on his personal machine sending traffic to the victim himself. He's not that stupid.

I agree, although in my case, I usually see a lot of govt (and some commercial) end-users also being compromised.

@jed:

Even if you did get the level of accountability you want, the vast majority of compromised machines are in underdeveloped nations without high-tech infrastructure. Asking governments of those countries to produce records for an IP is an exercise in futility. DDoS attacks originating in the United States typically lead to a conviction; this is why you never hear of any.

This one is a big one, especially in the sense that most Win32/64 OSs are pirated and not patched, making them prime targets. This is probably why I tend to see tons of attacks coming from APAC regions, at home and at work.

> American ISPs like Verizon show the same American ignorance and stupidity we have all come to expect from American companies short sighted lazy thinking! Does Verizon take care of its problems? not right away if at all.

> Because the vast majority of their money isn't made from customer ISP connections. They make the most money in cell networks, and government ISP contracts. Customers are always last.

Nope. Verizon makes just as much money providing ISP services as they do other network-related and government-related services. There are three sub-orgs of Verizon: Verizon Business, Verizon Core, and Verizon Wireless. In fact, Verizon Business provides DDoS services successfully because of the very large backbone they own. Their abuse department sometimes works hand-in-hand with DHS when serving take-down notices due to botnets and malware hubs. Almost all of this is due to ISP services. They provide the circuits and have complete control over them. I know for a fact that they are proficient enough in resolving enterprise-level issues…I've been employed with them for 4 years in their Managed Security Services department. We've offices all over the world, several global operations centers (including one in Belgium, one in the Philippines, and one in Austrailia). A company can't be global and not know what they're doing.

Lastly, I really hate the anti-geographical arguments that some europeans (or non-US people) tend to make. Notice that it only comes out during heated debates, usually out of the blue when on the losing end of an argument. Please don't lump us all into the "you Americans" bucket. Please don't generalise. Argue your case with facts and not bigotry.

> American ISPs like Verizon show the same American ignorance and stupidity we have all come to expect from American companies short sighted lazy thinking! Does Verizon take care of its problems? not right away if at all.

Well if America sucks, then I'd love to hear your opinion on China. My latest major brute force attack (SSH) happened to be from China (230 attempts). Hell, they almost always are. The rest of the time they are usually from France, Germany or Russia!

@rss245x:

The .US sites mentioned above . I meant to say .gov site

and not .US. Anyone can get a .US site only the US government can run a .gov site.

Again IP forging is not very practical and not very effective.
Honestly, I am pretty sure you are just trolling at this point.

IP forging is extremely practical in the places these attacks source from.

In the states, many ISPs block outgoing spoofed packets. In most parts of the world where these attacks source from however they do not. Why? No idea… they cannot afford the software/hardware to handle it? But long and short story is that they don't. Therefore, traffic will still come in. Attacks will still come in.

DDOS has been around since the dawn of the internet. Back since before the days of smurf and fraggle. (Smurf is one of the many famous DDoS tools).

Also, you seem to have some belief that the US has authority over the internet. Obama's internet czar is a joke and just another attempt to give one of his friends a job.

We do. Not. own. The . Internet. Regardless of the fact that most of originated from the states, other countries networks far outweigh ours. We are still an important part of the net, but to put us that high on the table is absurd and goes against the whole design of the internet. If we started putting ridiculous limitations in, we'd just be routed around and life would go on.

As official as we try to make it, the internet was designed with rules that make it similar to the wild west. There are policed towns, and then there are raids from neighboring bandits.

This is the design of it, and it will always be this way until we revamp the entire protocol set used.

So please, stop worrying about enforcing ddos punishment and figuring out how to make your app /server if possible resilient to it.

First off, I loved bdonlan's checklist.

I am looking for published lists of DDOS attack (and spam and fraud) source IP addresses. I would like to compile them into a database, age them, and make them available to website owners.

I'd like to provide a simple web API that accepts an IP address and a few optional parameters (eg maximum age), and reports how many of each type of report the IP has been on within that age, so that the user could warn or prevent the visitor from proceeding (with signup, login, whatever) until their IP address is better behaved.

I am not too familiar with the speed at which IP addresses are recycled, so I don't know how long they should remain in my database, but if the service I want to provide existed, I would seriously consider at least reporting to members of my website, and I'd lobby my clients to do the same on theirs.

Being told you're a spammer won't be too annoying to spammers, but many Windows users would consider malware detection and cleansing software if they found out that their system seems to be participating in DDOS attacks that are wasting their time and someone else's webserver.

I know it wouldn't be too much use until a decent number of existing DDOS attacks were regularly updating the database, which is why I was searching ("DDOS 'ip address list'"). Maybe some folks here would be interested in helping?

Since the first D in DDoS means DISTRIBUTED, pretty much just take the entire range of IPv4 addresses and add them to your database. Sooner or later, you'll strike gold.

//BTW at 2+ years and counting, way to resurrect a stale thread//

You missed this crucial part of my post: > and reports how many of each type of report the IP has been on within that age So if your suggestion has any merit beyond its bit o' humor, I'd need to include the date reported, and whether it was listed as a source of fraud, DDOS, or spam.

@dscotese:

First off, I loved bdonlan's checklist.

Similar ones have been around for some time. :)

@dscotese:

I am looking for published lists of DDOS attack (and spam and fraud) source IP addresses. I would like to compile them into a database, age them, and make them available to website owners.

Denyhosts has the capability to collect this information. Their terms for accessing the data may or may not be in line with your plans.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct