[nycbug-talk] dns abuse

Miles Nordin carton at Ivy.NET
Wed Jan 21 13:38:39 EST 2009

>>>>> "ak" == Andy Kosela <akosela at andykosela.com> writes:

    ak> exactly the same kind of DoS attack can be successful if using
    ak> com or net servers instead of root.

it sounds like any query will work for that purpose as long as the
answer is bigger than the question, so I'm not sure there's a ``bug''
or ``vulnerability'' in the server software to fix.  We're back to the
old problem of the new commercial-ISP-landscape providing zero
stewardship towards fixing the DDoS problem overall.

The real fix, is something like RPF.  For example, if you had:

 * a flag in the header of each packet indicating that it comes from a
   member of the RPF-implementing ISP Brotherhood, and its source
   address is semi-trustworthy

 * a mailsieve-like architecture for instructing your ISP to install
   traffic filters on your behalf

then you could load the victim's IP's into your sieve and say ``from
these victim IP's, accept flagged traffic only.''  You could also
install a bunch of really aggressive IDS filters for non-Brotherhood
traffic, which would at times give false positives, giving users an
incentive to pick ISP's that have joined the RPF Brotherhood, the way
they now have incentive to pick ISP's with anti-spam AUP's.  If your
site isn't fully public, you could even say something like ``I only
accept TCP and VPN-UDP traffic from outside the RPF brotherhood.''
Let the non-RPF people time out and use your secondary DNS.  Finally
the victim could maybe add himself to a ``default sieve''---declare
analagous to email SPF that ``all my traffic should carry the flag,''
stopping the attack himself once he notices that he's getting DDoSed,
before you notice it.

In this particular neosmurf attack you don't even need the second
sieve piece because the traffic is so small you could block it with
your own firewall, if your firewall could see the RPF Brotherhood
Header Flag.  but for other types of DDoS the sieve is needed, and
also needed is the idea that goes along with it, that I should have
the right to declare which traffic I'm paying to receive, and if I add
it to the sieve I don't want to receive it or pay for it.  I think the
right to mark your traffic with the Flag should require that you
operate a sieve and don't charge customers for sieve-filtered traffic.

The sieve is also likely to be part of a truly neutral QoS
architecture, so we need a wedge to force this complexity into the
network.  The idea is, once these incentives are in place, ISP's will
want to spread sieve data through the routing mesh so they don't have
to carry these unwanted packets.  Probably they will end up being
blocked at the edge of the Brotherhood, so DDoSes will only overwhelm
links to non-Brotherhood ISP's.

Given what we have now, maybe the best thing to do would be to blame
the victim.  Who are your machines being used to attack?  Do you know
anything about this guy?  I bet he's a real shady character, meaning I
bet he has shady friends and acquaintences.  This kind of person is
always causing problems.  He was probably asking for it, by insulting
someone on irc.  What did he expect to happen, failing to grovel
before someone who was obviously a pheersome bot-herder?  Have this
idiot kicked off the internet for his own stupidity.  He's a
troublemaker.  Anyway, there always seems to be trouble around him,
and that's all I need to know.  I've already spent more time on him
than I'm willing, so it's just, fucking, done.  Why can't he just
browse the web and watch Youtube like everyone else?  His weird
behavior is using up MY time and attention.

We should find out who is the victim's ISP, and block all their IP
space---if they are still allow irc-hosting, then they will be a
problem tomorrow as well as today.  People are just going to keep
spoofing them!  So you may as well block all their traffic to stop the
Network Abuse at your site.  Force people to communicate through some
proprietary commercial ad-supported medium like AIM or MySpaceIM or
Facebook-httpchat by blocking anyone involved in hosting or using irc.
We want only ``clean'' traffic at our site: traffic mediated and
censored by some funded corporation that can declare arbitrary
policies with which you must agree to participate, log everything, and
kick off anyone who makes Trouble without recourse.  I mean, at least
these big corporations have a _stake_ in cooperating, right, as
opposed to R4ndomDD05SH3LLZ.net.  It's these fucking small businesses
doing weird things and mouthy irc people who patronize them that are
causing the network abuse problem by riling up the hackers with their
irc-mockery and vitriolic insults.  not a ``vulnerability'' in DNS.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20090121/090a5851/attachment.bin>

More information about the talk mailing list