You're Being DDOSed — What Do You Do? Name and Shame?

badger.foo writes "When you're hit with a DDOS, what do you do? In his most recent column, Peter Hansteen narrates a recent incident that involved a DNS based DDOS against his infrastructure and that of some old friends of his. He ends up asking: should we actively publish or 'name and shame' DDOS participants (or at least their IP addresses)? How about scans that may or may not be preparations for DDOSes to come?"

Why name and shame?

DDoS the DDoSers, that'll show em!

Re:Why name and shame?

[MysteriousPreacher]

I think someone needs a hug and his meds.

not sure "shame" will have much effect

[Trepidity]

The vast majority of DDoS participants are infected computers in botnets, and their owners are typically unaware. Will they even notice your naming sufficiently to be ashamed? Maybe if it's a corporation it'd have some effect: publishing that you were hit by a DDoS that included X computers from BigCorp might make BigCorp look bad. But not so much if the botnet is a bunch of random home PCs.

Re:not sure "shame" will have much effect

[rtb61]

Do your governments legwork for them. Gather evidence and file a complaint with 'ALL' the appropriate regulatory authorities. Sure some will lead overseas to 'somewhat dead ends' but enough complaints with evidence would result in powerful diplomatic pressure to pursue criminal investigation and prosecution. Unless appropriate authorities get a proper measure of the activity they can not respond appropriately. Appropriately here means neither going bat shit insane with sting operations and massive stupid publicity campaigns when targeting particular selective groups or doing nothing at all ie the typical balance, using the motoring analogy of, traffic control.

So upon complaint, collation of evidence, notification of sources of attacks, from the service provider to the end user, with a please explain (you found the problem and fixed it) or allow us direct exploratory investigation (we will check for a problem, set a trap and fix it) or a fine (you were the problem). Of course if individuals were doing more than DDOS protesting playing games et al and involved for example in credit card fraud then real prosecution and criminal penalties should apply.

Re:not sure "shame" will have much effect

[TheEffigy]

How about the service provider connecting those home computers to the net?

Re:not sure "shame" will have much effect

[tnk1]

Not sure we want to encourage providers to start nosing around in their customers' traffic more than they already do.... Just saying.

Re:not sure "shame" will have much effect

[Threni]

Reminds me of a mate who runs a few sites - every few days he gets amusing emails from irate idiots who've received spam from spammer's who've randomly selected his site's email addresses as `reply-to` addresses, threatening to report him to the `internet police` or name and shame him etc. He used to reply to them, but now he's got a bunch of rules to just delete them, amusing as they are.

So yeah, `naming and shaming` the ISP responsible for temporarily allocating a dynamic IP address to some granny who's used some Microsoft browser to access the wrong site and has ended up running a zombie server for an eastern european crime syndicate is as amusing as it is futile.

Re:not sure "shame" will have much effect

[Immerman]

I'm not sure about that - seems like they already comb through for any information that might help their bottom line, noting at least trivially abnormal behavior such as DDOS participation or email spamming while they're at it and at least notifying the account holder that their system(s) may be compromised would seem to be basic responsible citizenship. Instead it seems to be treated as just more traffic to bring you closer to your data cap and those sweet, sweet overage charges.

Re:not sure "shame" will have much effect

[Immerman]

Is it? We're not talking about site operators being spoofed, we're talking about the service providers that are actually connecting the zombified PCs to the 'net. The ISP knows exactly which account is using which IP address at any given moment, and could at least notify Granny that her computer/network may be compromised and she should run whatever the good free scanning suite du-jour is. Similarly if they note that some private account is suddenly acting as a server sending hundreds or thousands of emails a day. Many/most of these companies are already doing deep packet inspection to throttle economically undesirable traffic, keeping an eye out for the most blatant symptoms of infected user PCs and notifying the account holders should be a trivial addition, it just doesn't put any money in their pocket to do so.

Re:not sure "shame" will have much effect

[davydagger]

"The vast majority of DDoS participants are infected computers in botnets, and their owners are typically unaware."

This.

Also, you might never really know who's behind it.

Re:not sure "shame" will have much effect

[rvw14]

Pirating Britney Spears can net you a larger fine and longer jail term than hacking a bank.

Of course the real punishment is having to listen to your pirated Britney Spears album.

No

The only reason you can possibly have for publishing the IP addresses is to provoke vigilante justice type of actions, likely counter ddos or something.
What you should do is report him to the abuse department of his ISP. Note the responses of the ISP's and name and shame the ISP's that do not take action.
IP addresses from bad ISP's should end up on a "botnet-friendly ip list" so we can start blocking the traffic from these isp's.

Re:No

[VortexCortex]

Note the responses of the ISP's and name and shame the ISP's that do not take action. IP addresses from bad ISP's should end up on a "botnet-friendly ip list" so we can start blocking the traffic from these isp's.

On a DoS or DDoS (special case of DoS) that's fine. On a reflective DDoS (RDDoS, a special case of both DDoS and DoS) you have a different situation. A denial of service (DoS) is any interruption of service, e.g., by flooding the server with SYN packets. A distributed denial of service (DDoS) is when the attack comes from multiple different places at once, e.g., a single connection may not be enough to take down a server with high bandwidth; However if you coordinate the attack across many different connections then the overall traffic can eclipse even a high bandwidth server. With a DDoS the machines coordinating the attack may or may not belong to the attackers, but it's a good idea to contact the ISPs so that the IP holders can be notified that their systems may be infected with a bot-net -- Although, this may not be the case, as I'll explain later. In a reflective distributed denial of service (RDDoS), the apparent IP addresses may belong to machines that were under the control of any malicious software. Reporting these IPs would be pointless.

When a server receives the first SYN (synchronize) packet of a TCP connection handshake, it replies with a SYN-ACK (acknowledgement & synchronization) to the source IP of the originating packet. Then a ACK is sent to the server to acknowledge the server's synchronization. This verifies both endpoints aren't spoofed. A RDDoS takes advantage of the fact that:
0. The source IP address of the initial SYN packet can be spoofed (the "From" field can be bogus).
1. The server sends a SYN-ACK before the connection endpoints have been verified.
2. The TCP protocol allows several (five) retries of the SYN-ACK packet.

In a RDDoS, a single malicious computer can spoof the "From" IP of a TCP connection, and spray it around to servers on the net. The bogus return IP address is that of the victim system. Thus, legitimate servers will flood the victim's connection with five SYN-ACK packets for each single packet the attacker sends. Thus the victim never has the attacker's IP address. To combat this servers may pro-actively detect an IP that sends too many incomplete TCP connection requests, and block it. However, the attacker can have many IP addresses at their control (see: botnet) limited to just a few packets per hour sent to an entire Internet of servers. None of these infected machines will be revealing their IP addresses when they perform the reflective attack by spoofing the source IPs of their packets. What we need is for ISPs to block packets originating from their network that that don't have correct return IP addresses... Not all ISPs do this.

Now what if the attacker only has a single machine at their control and they perform an RDDoS? Why, the traffic pattern is identical to a DDoS -- Ah, I can hear your gears turning already: Can't the return IP addresses can be checked to see if they're residential IPs, and thus victims of a botnet infection? Yes, but how do you differentiate the non-residential IPs between infected servers and non infected servers? Just assume that the non-residential IPs aren't intentionally malicious? Yes, indeed, which is why RDDoS is a popular form of network DoS.

I reiterate: What we need is for ISPs to block packets originating from their network that that don't have correct return IP addresses; Thus, spoofed packets are dropped at the source. You'd think with deep packet inspection now available this shallow packet inspection would be broadly adopted -- Ah, but this is electrons spent that don't directly benefit profits. IPsec was once a requirement of IPv6 adoption, and would defeat endpoint spoofing, however IPSec has been made optional for IPv6, so we can expect the RDDoS attacks to continue for quite some time.

Fight back, it's easy.

Easy, you post the name of the attacker on Slashdot in an article about a new supercool anything and have him slashdotted.

Re:Fight back, it's easy.

[Soluzar]

Do sites still get slashdotted? I thought these days this place doesn't drive enough traffic for that. Could be mistaken.

Two problems with that

[stevegee58]

1) It's DISTRIBUTED. You'd have to name and shame thousands.
2) Many of the DDOS nodes don't know they're being hijacked for a DDOS. Name and shame an innocent person?

Yes name and shame will work!

You're being 'ddosed' from thousands of different IPs - list them all!

Who cares if they're compromised computers - naming them will surely shame the botnet owners into submission!

Was this question asked by an idiot?

 

It's a first step

[bill_mcgonigle]

Eventually we should have a reputation-based distributed admin function for the Internet. If a dozen high-rated NetOps guys all sign messages that say that a given IP is spewing DDoS traffic, the infrastructure should permit a block without the owning admin having to deal with it proactively.

If a network doesn't participate, that could play into trust levels. If an admin screws up, he loses reputation. If an admin tends to advertise YouTube routes into Pakistan, he never gets a good reputation in the first place.

As usual, it's all trade-offs and we don't yet have an extensible crypto-reputation system, so one thing at a time.

To the original question - it's probably not going to do much good, but it's good to cultivate such expectations.

Re:It's a first step

[symbolset]

Censoring the Internet is never the right answer.

Re:It's a first step

[Onymous+Coward]

That's simplistic.

Autonomous systems should have the ability to publish opinion and the ability to filter.

"Censoring is never right" as a response to reasonable filtering is like saying, "Every user should receive and read through all their spam."

Not innocent

[ElusiveJoe]

Many of the DDOS nodes don't know they're being hijacked for a DDOS. Name and shame an innocent person?

They are NOT innocent. They let their computers be used in stealing, censorship, blackmailing, spam and other evil stuff. It doesn't matter if it is stupidity, ignorance or malicious intent.

If your car keeps hitting other cars you should hand over your license.

Re:Not innocent

[number17]

You are being ridiculous. This is like somebody smashing your window, hot wiring the car, and then hitting other cars with it. The standard locking mechanisms are good enough to keep the ordinary criminal at bay. Sure you can put immobilizes or wheel locks on the car but those aren't yet standard. If its something that happens repeatedly to you then start looking into more secure prevention methods.

Give all the IP's to the RIAA

[toygeek]

Make up some story about how you tracked down a huge network of movie pirates.

A more detailed proposal ...

[Frater+219]

Sites under DoS attack should publish (through a channel not congested by the attack) a list of the IP addresses attacking them, through some trustworthy third party. Then, other sites should subscribe to that list and refuse service to those addresses until they clean up and stop attacking.

For instance, consider your uncle who uses AOL. His computer is infected with botnet garbage and is participating in a DoS attack against (say) Slashdot. Slashdot sends a list of attacking IPs, including your uncle's, to Team Cymru (the third party). Cymru aggregates these and publishes a list, updated every three hours. AOL subscribes to that list. When your uncle goes to check his AOL email, he gets an error: "We regret to inform you, your computer has been hacked, and is being used by criminals to break the Internet. You can't get to your AOL email until you kick the criminals off by installing an antivirus program and running a full scan. Click here to install Kaspersky Antivirus for free. Thank you for helping keep criminals from breaking everyone's Internet. Sincerely, Tim Armstrong, CEO, AOL."

Then your uncle gets mad and calls up AOL and complains. They try walking him through using the antivirus program, but he just curses them out and says he'll go to Hotmail instead. He tries ... but Hotmail also subscribes to the same list and tells him the same thing: "Your computer is infected with malware and is being used to attack other sites on the Internet. You cannot obtain a Hotmail account until your computer is clean. Click here to install Microsoft Antivirus." He gives up and calls AOL back, and they help him get his computer cleaned up. Within half an hour, it's off the botnet; and within three hours, it's off the list of attacking hosts, and your uncle can get his AOL email again.

Re:A more detailed proposal ...

[Onymous+Coward]

Excellent idea.

You have described the XBL.

The Spamhaus XBL, or "Exploits Block List", is a DNSBL (DNS-served blacklist) that lists IP addresses of systems known to be infected or otherwise being used by malicious parties. ("The XBL is an automatic system whose detectors need to receive email (spam, worms, etc.) directly from the IP address so the connection data can be analysed to determine if it's a proxy or virus-spewer.") The blacklist is developed in a way primarily to be useful in reporting systems exploited to send spam, but the idea is exactly what you're referring to.

Re:Simple....

[Firehed]

And how are your website's users supposed to reach you in the meantime? As soon as you switch your DNS to point to the new servers, the DDOS follows. Try again.

If anyone's found a solution better (or more cost-effective) than Prolexic or a similar DDOS-prevention service, do let me know. That's some crazy-stupid protection money we're paying out, but it has proven effective.

Re:do something useful instead

[Gumbercules!!]

We got DDOS'd a while ago in our data centre. It turns out an ex employee we let go (performance related) paid (yes, actually paid) some people in German (we're in Australia) to fire off a DDOS against our servers from where ever their bots were.. Our upstream net provider blocked it for us. Yes: 1000's of IPs - because they used ICMP flooding - so they blocked ICMP traffic to us, upstream. Something we couldn't do ourselves but the ISP could do for us.

So it's not such a stupid suggestion at all. Of course, had they all launched port 80 TCP connections against us, yes, we would have been in serious trouble but I suppose we could have asked them to block non-Australian traffic for the day or until it stopped - overseas traffic is really not a big deal for us.

And for the record, the guy who kicked the whole thing off, we didn't bother to press charges, even though he bragged about it on Facebook (without first unfriending me, the idiot) because, thanks to the ISP, his efforts largely failed and we got some revenge when he tried to use us as a reference (and we were his only employers, so far).