astirusty
Premium
join:2000-12-23
Henderson, NV
 ·AT&T Southwest
| reply to keith2468
Re: BBR DDos - going after the bad guys
said by keith2468  :Another thing would be for ISPs to be required to use egress filters, to ensure that packets originating from their retail customers have source IP addresses from their domains. The egress and ingress filtering idea has been discussed many many moons ago. The answer for ISPs not doing it seems to come down to $$$ for the filtering. |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| It is money for the egress filtering, that is correct. Egress filters do save money, but the problem is save money for your competitors and their customers.
I understand that in most cases egress filtering simply requires another rule in the routers (their routers being programmable) to reject packets on the local side that have source IPs outside of their domain. There is no new "egress filter box" just a rule added to an existing router.
But the rule would require a tiny bit of processor power on the router to enforce. Meaning a need to have a tiny fraction fewer customers on each router. Meaning ever so slightly higher costs.
And the cost savings primarily goes to other ISPs and their customers.
The egress filters of ISP A protect against attacks originating on ISP A against customers of ISP B being made to appear to come from ISP C. ISP A pays for the filters, but the manpower and equipment savings go to ISP B and ISP C.
So it is an internet health issue, it would reduce costs overall for the internet community, reduced need for:
- redundant systems,
- redundant lines,
- over-sized pipes, and
- extra operations staff, and
- extra support staff
All to reduce the impact of DoS attacks and to react to them.
It is a regulatory issue. Companys (ISPs and ISP customers) will save money if their competitors provide egress filters, more than enough money to provide their own.
The other argument against egress filters is that not all traffic leaving an ISP's domain actually originats there. Some is from other ISPs using their trunks to get from B to C.
Therefore you cannot easily install egress filters where traffic leaves (egresses from) an ISP.
The solution to that is easy.
The egress filtering should actually be done where traffic egresses from retail customers. That is, at some point after the customer and before the traffic enters a trunk line.
-----------
This doesn't help go after the guys who DoSed BBR Saturday night and Sunday, but so far as I know only coordinated efforts by ISPs while the attack is going on can do something like that.
Here is one technique:
DoS Ingress tracking using ICMP backscatter
»www.mynetwatchman.com/kb/securit···scat.htm
I have no idea if it would be effective in tracking the source of the kind of attack BBR suffered.
--
(Virus&Hijacking FAQ + Submit suspected malware + Backups FAQ + Security FAQ TOC) |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
1 edit | Who will filter and where?
I suspect that if egress filtering is attempted, the ISP will try to push it back on the customer in the form of required appliances or software at their point of entry. That way the ISP gets the benefit of cleaner bandwidth, no additional equipment or performance hits from added rules and filters - all without the cost to them. They sell it to the customer as a "security enhancement" for their benefit.
EDIT - It looks like backtracking would get you as far as the sending system. If that system is a bot, then one would need to examine it further. Since bots hardly ever have logs to identify their owner, the only way to track further would be to examine the bot code to see what the system did to obtain its instructions, or track all traffic out from the bot and figure which was to the controller. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| The problem with pushing it onto a device in the customers hands is that it is less secure then at the default gateway. If someone is spoofing packets, putting the device where they can attempt to hack/bypass it is much less secure. I'm not sure processing power is that much of the problem for the cable networks since the CPU is normally not the limiting factor for the number of customers per port/CMTS.
Up until several years ago many ISPs didn't block any ports, now they are blocking them for "security against worms and spam" and in many cases having tiers to opt out of the blocking. Cablevision's BCOOL (Business Class OOL) allows port 25 Outbound while OOL does not. The ISPs may have reached a point where they are able to configure the ACLs easily enough to start using them for egress filtering. Once you are runnings ACLs the additional processing power need to check the source address is not that great. Hopefully egress filtering will occur, still it may take a major event to convince the ISPs to implement it.
Unfortunately, "DoS Ingress tracking using ICMP backscatter" won't help here since the attacker is not spoofing packets instead they are using bots that are making the TCP handshake, as has been already mentioned. So the Bots are not spoofing the IP and the IPs of the machines participating in the DDOS are know. Even assuming he is controlling the bot net with packets from spoofed IPs this type of backtrace counts on more then a few packets being sent so it probably won't help tracking the controlling computers.
--
Dog and Butterfly |
|
Gelroos
Mad Mage
Premium
join:2003-05-23
Wilmington, DE
| Bah, anyone trying this against a board like BBR would likely make the bots check into a newsgroup for new instructions. Anyone worth the effort to find knows that if you use IRC, eventually they will reverse the code and find the IRC channel, then it is merely a matter of paying attention to all the variables. But the beauty of using newsgroups is that you can theoretically use ANY of them as long as you put a signature in each post that tells the bot that this is authorized and then to process the order. The amount of information parsed by the average news server a day makes for A LOT of clutter to hide in. Send a message very 48 hours to change to a signature, and you have a very difficult, albeit slow, communications link to intercept. The best part is that if/when they figure out, you still are posting thru 8-9 anonymous chains, aren't you? This makes zombie army control very "safe" for the operator.
--
The tree of liberty must be refreshed from time to time with the blood of patriots & tyrants. It is it's natural manure.The "Tree of Liberty" letter From Thomas Jefferson to William Smith |
|
