ISP Forced Out of Business by DoS

flyhmstr writes "According to a report on ISPReview Cloud Nine have been forced off line and out of business thanks to the actions of crackers deciding to go play with some DoS tools." It's only getting worse. The kids are getting more and more aggressive as time goes on and it gets easier and easier to launch a large scale DoS. As any techie knows, fixing the problem is far easier said then done... but as a frequent recipient of the sharp end of the DoS stick, I sure wish it wasn't an issue.

Re:whoops

[Tipsy+McStagger]

The Register have the text of the announcement at the moment.

Register coverage

[Zocalo]

The Register is an effective mirror of the article too, but they also have a *tiny* bit more information.

Re:I'd like to know

[RC514]

The slashdot effect has been analyzed:

Traffic increase from slashdot effect
Increase in hits and bandwith requirements of a Linux related story being featured on Slashdot
Analysis of several stories making it to the frontpage of Slashdot and other newslogs.

Especially the second link shows that the Slashdot effect can look very much like a DDoS attack. The severance depends on the story, probably on the time of day and of course on the link and hardware powering the /.ed site.

If you pay by the gigabyte for your webtraffic (who doesn't), the /. effect can be a financial DoS attack much more than a technical DoS.

Re:which side of the law is our community on?

[Catiline]

Counterargument to your very silly counterargument:

Doctors study illness not to cause it, but to cure it.

I know that politicians, when dealing with computer technology, like to follow your facetious argument. The problem is that the general public has a hard time realizing programs are more like a leatherman multitool (wide purpose) and less like an EEG machine (one purpose). I've used Word to doodle, or play games (it's quite fun mangling the program using VBScript). Is it a crime for me to do so? After all, the same skills have been used to write virii or munge the security of a LAN.

I understand the twin concepts of responsibility and accountability: those are what keep me from considering any hacking. I've almost always known how to break security on any computer system I used; those two ethical precepts kept me from actually doing it (despite often strong temptation to the contrary). And if they were taught in public schools- and made to stick- script kiddies probably would be managable.

This is not to absolve network admins of their responsibility (to have a good firewall, practice proper security, etc). I just think that maybe we need consider the possibility that where the slashdot community stands isn't pro or con, but a sensible and logical medium.

Kill the martians!

[leonbrooks]

i came upon an interesting article that talks about a reverse firewall

*All* of my servers block all traffic to/from private IPs - except subnets they know - and block outbound traffic not from an externally visible IP that they own; they've done this for years, it's a fairly simple set of ipchains/iptables rules. The 2.4 kernels have a heap more options such as automatic martian (alien packet, ``it can't have come from there'') assassination.

Oh, and they complain in the logs, which are monitored. They also use tools like portsentry to temporarily block all traffic from IPs that sniff them.

And they all stay updated (thanks Mandrake, even if it's not quite as simple as Debian).

These things are all easy under Linux, presumably most BSDs, and probably not that difficult under Solaris, HP-UX, OS/X et al. But Windows? Hmmm...

Shortlist of private IP subnets to drop: 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.127.0.0/16; there are a few others you could use as well.

Do a traceroute 192.168.99.99 from your box (try a few other private IPs as well) and see what happens. From here, RadioWAN don't filter, EfTel don't filter, Paradox don't filter, and AlterNet only drop private IPs after a few hops into their LAN (hey, at least they don't route it!), which is all very sad from a bullshit-deterring POV.

Re:No technical solution, it's an apathy thing...

[Legion303]

The authorities won't do anything to offending script kiddies unless you can show a certain dollar amount of damages. Most admins probably don't bother calling the feds because they know the feds won't do a thing.

-Legion

Re:No technical solution, it's an apathy thing...

[macemoneta]

Even on home cable, it's not feasible. I had done this when I had gotten 1-2 scans a day. I never received a response to the report. A few trojans ago, the scan rate picked up (now over a dozen a day). It's gotten to the point where I just turn the monitoring for scans off (still watch for unauthorized access). This is just me at my home PC; it would be a full time job to keep up with this. It's just not feasible.

We need an automated tool for collecting the scan data, and depositing it in a repository. The respository can perform the correlations to track these to the source nodes. Higher level (towards core) IPSs can take the lower level (towards edge) ISPs off net until the DoS is terminated.

If done properly, but still mostly manual operation, a DoS would last at most an hour. The problem is getting cooperation between companies and organizations that are business competitors. You need a third party independant organization (jointly or government funded) to manage the repository and request the service deactivation.

Of course, then the repository would itself become the target for attack...