ISP Forced Out of Business by DoS
flyhmstr writes "According to a report on ISPReview Cloud Nine have been forced off line and out of business thanks to the actions of crackers deciding to go play with some DoS tools." It's only getting worse.
The kids are getting more and more aggressive as time goes on and
it gets easier and easier to launch a large scale DoS. As any
techie knows, fixing the problem is far easier said then done... but
as a frequent recipient of the sharp end of the DoS stick, I sure
wish it wasn't an issue.
Can someone please clue me into why people do this? I don't quite understand this mentality. I have never done something bad like this simply because I could. Am I a rarity in this world? Do these kids need a hug? Why would you do this? Feeling "elite" because you can knock down an ISP? Take your energy and do something positive with it. IMO, this is petty and retarded. Maybe these script kiddies can go knock down a hospital or something next, hey why not, it doesn't hurt anyone right? RIGHT? forking iceholes.
Sent from your iPad.
A solution to the DOS problem was posed at the Adelaide IETF meeting a couple years ago. Basically, some small percentage of packets randomly selected get ICMP notices from routers, with last and next hop information, that is forwarded to the destination. So if you are getting a large number of packets from a single source, you get proportionally more of these packets, and can use a heuristical engine to model the source, even for DDOS problems. This allows you to trace back to the offending network/ISP and shut off the DOS
Why did no one do this? It requires changes to router firmware, I'm not sure about Cisco firmware upgrades, but I thought they were at least possible. Besides, they could use this as a selling point and declare their old routers obsolete.
Admittedly, the model breaks down under MPLS, since it is difficult to track the cloud, but you can at least track entrance and exit points from the cloud.
As usual this is a question of ethics.
It has nothing to do with hackers, crackers, RIAAs, MPAAs or the color green - it has all to do with freedom of information:
- I support freedom of information, and by extension those that help make information free.
- I'm against restriction of information (any kind of information - bad, good, usefull or useless). Naturaly i am by extension against those that try to constrain that freedom.
- Which side of the law am i on?
Neither side. My ethics are independent of the law.
Going back to this specific case, i'm against however did the DDoS attacks because they went against other people's freedom to give and receive information.
Although the news item does not justify saying that the ISP was going out of business because of DOS attacks (they were still financially solvent), perhaps the owner decided he had had enough of the problems from vandals. A well-run business will shut down and leave the neighboorhood when windows get broken repeatedly before they loose all of their money.
Computer vandalism -- This will not decrease until we (as the technical community -- including management) decide to make some changes. Without changes, it will only get worse.
1) Although technological solutions are useful and necessary, they are not enough. The trusted network model does not work in the real world. There must be rules, accountabilty and penalties (without penalties, nothing stops me from continuing to break the rules).
2) Many network rules exist, some are poorly enforced.
3) Because of packet-spoofing. Some (D)DOS attacks can be nearly impossible to shutdown. We need to make sure only legitimate packets can Internet at large. Without this rule, tracking down the vandal and applying the penalty is not practical. If packet spoofing were eliminated, it would be possible to identify culprits at a modest cost.
4) Accoutability needs to be improved by everybody. If Nimba2002 is released tomorrow, Microsoft should be expected to make it well known, and supply a fix. Network servers should be patched. People running compromised server should be cut-off until they get fixed. These things happen by and large in a haphazard fashion today. The problem needs to be addressed at the source whenever possible.
4) Penalties need to be commensurate with violation. A hand-slap for vandalism does not deter, a death-sentence for jaywalking deters, but it not justice either.
5) Then maybe we should get rid of junk email for an encore.
/.
Back in the day, before the Internet went commercial, if you abused your connection your upstream provider (typically a bunch of long-hairs at a land-grant university) would cut you off. If they didn't do it, their upstream provider would cut them off.
Currently, there is no real penalty for large ISPs who do not implement egress filtering (which prevents IP source spoofing) and/or refuse to co-operate in tracking down DOS sources.
The anti-spam vigilantes have been partially effective in cutting off ISP service to the worst spammers; perhaps something similar is needed to influence the ISPs who refuse to implement egress filters.
--Charlie
Of course there is: to test the robustness of a piece of equipment against such attacks.
There are ways to deal with DDOS attacks, but, unfortunately, they require the cooperation of most parties involved in the aggregation of "hostile" traffic toward a given target. It does no good for the target to simply drop "hostile" packets, because upstream "friendly" traffic might still get congested. The upstream routers need to be told to stop forwarding the "hostile" traffic.
And this raises two problems: 1) How do you deploy the software to an existing router infrastructure to allow this back-propagation of "stop forwarding hostile traffic to me" messages. 2) How do you identify traffic as "hostile"?
There are techniques for guessing what traffic is actually hostile, based on packet signatures (often the source address is spoofed, the attack is distributed, or otherwise useless), without dropping too much friendly traffic. It is better, though, to lose some friendly traffic, rather than all of it -- failing gracefully, as it were.
But retrofitting a standard DDOS defense will prove to be difficult, given the diversity of players involved (and this is one area where IP carrier consolidation would be a good rather than a bad thing) -- just look at the difficulty in bootstrapping IPv6 in the network.
You could've hired me.
As someone who was put in this same situation at the end of '99. I can only say -- if the big boys were concerned -- it would not be a problem. Although its not a trivial problem, dynamic blocking rulesets on bordergate routers who get a rush of ICMP (or other sorts) of traffic to a single target would not be hard to block.
.ca. After the attack our ISP was quick to disconnect us with no alternatives we closed our doors (noone else in town wanted to touch us).
My small ISP which had been doing okay had been stranded without an uplink after a 150Mbit attack took out sprint links in our part of
After the attack we were quick to contact the NOC of a few schools with unused 'open' blocks who refused to claim responsibility (of the DDoS packets) or fix the problem. About a month and a half later they had FBI knocking on their door after the ebay/yahoo etc attacks.
The question --
Do you think DDoS could be a tool for the bigger ISP's and players to squeeze smaller guys (ISP/ASP) out of business? I know that one quite is a stretch.
What other reasons have kept ``Tier-1'' networks from implementing fixes?