San Francisco, CA
|reply to DaneJasper |
Re: Poor handling by sonic.net support - DDoS attack
Perhaps there should be two clases of security, one for inbound and one for outbound. Obviously, the outbound means the something bad came from the customers computer.
As for target of DDoS, it seems to be more common as if you looked at the MOTD, it seems like there is almost some type of DDoS attack every few months 3 to 4 months:
Atleast for this week, there would have been 2 DDoS attacks if you included my case.
I was just looking at a older thread »hmm... I seem to be offline from JohnInSJ and it seems like he got attacked too and what is it about all these attacks coming from France these days?
As far as filtering, if you don't filter, what happens to the traffic that was targetted at the customer that now doesn't exist as the customer is already offline but I'm sure it would still flood the rest of the sonic.net internal network and/or the other customers who share the same Redback SMS so in effect, it will still affect others unless you do something at the gateway.
So in response to the other post, what's the maximum length of time the customers link will be offline since it's better for the customer to know the worst case scenario instead of being in a panic situation because there is no ETA so assuming you said X amount of time which is the maximum possibility, there is always a chance it'll come back sooner.
Adam never made the point tht the NOC was in no hurry to put the link back online since all he did was said the customer was at fault to cause the issue and also the Network Admin is the one that decides on if the account itself should be locked up or not as it's on a case by case basis.
Now, if a customer is attacked over and over again, this has to mean the customer has done something to upset the attacker. Since that's what I meant that putting the customer offline will not do any good if that was the case because let's imagine that the customer gets attacked again as soon as you put the customer back online since if the attacker was pissed, they would have something that automatically attacks as soon as they can ping the host in question. It's no different that I had a ping to the sonic.net DNS server so that I'll know when the connection is back up.
As for the question of if you should terminate the access for the greater good, it depends since what would happen if the customer was under the 1 year term or something, they would have the early termination fee so even if you tell the customer to go find a new ISP, is sonic.net going to eat the early termination fee because that would end up costing sonic or are you still going to past the early termination fee to the customer?
As far as the two categories, I know I'm on the Unix like host on the network but not participate in IRC since I have not used IRC for longer than I can remember. Actually, there can be more than two categories like posting on a forum, newsgroups or sending e-mails that the attacker found offensive. While forums don't display IP addresses, what happens if it was the admin of the forums who was doing the attacking?
As for the first case, I know a few months ago that I was getting all these bounces for e-mail that was supposedly from me except it was email@example.com instead of firstname.lastname@example.org and basically the headers were forged so the original e-mail never originated from my network except they just forged the headers so that it would seem like it came from my network.
I always make it a priority to resolve the root issue because #1, I don't like my system compromise because unlike others who simply load a OS and can reformat, etc. All my work is on the system so I have to be crazy to not make it a priority as I don't want all my hard work to go down the drain especially when it's 15+ years of things that while it gets backed up at 4AM each morning to another HD on the machine, if the system is compromise, it's just too big of a risk. That was the reason why even when I talked to Kory initially and when put on hold, I looked at the trafshow output and also checked to see if there were any weird processes running since the later would tell me if the system is compromised or not.
I do have a question that never gotten answered, in my attack, was there a reason that the NOC didn't do anything after 7:43AM when the attacks started occuring and didn't even seem to have known about it until I called at 9:15AM since Kory even asked me to unplug the system and see if it made a difference or I can have the NOC shut down the circuit for a few hours. The former probably won't work because if it really was a targetted attack, I'll probably see the attack as soon as I plug it back in and in my mind, as long as I get th connection back by early afternoon, then it's fine. And if you could, can you provide more information on the attack in question other than the 125,000 packets per second since DDoS is really too generic as a smurf attack is still a DoS attack as curiousity kills.
DNA Logic Corporation