[Mimedefang] monkeys.dom UPL being DDOSed to death

[Justin Shore]

On Tue, 23 Sep 2003, John Von Essen wrote:

> Hmmm...
> 
> DDOS attacks are something that DNSBL providers are going to have to 
> deal with. No offense, but the reason why these DNSBL's are going down 
> might be due to the fact that they are easy targets.

True, they should be expected.  To this extent though, no.  These attacks 
are truely massive.

> I am not familiar with the infrastructure being used at monkeys, but if 
> it is a T1 with a couple Linux boxes, then there is no surprise that it 
> was killed.

Dead on easy target.  As I understand it though most of these boxes are
colo boxes.  The ubber secret master might be on the author's DSL or cable
line but the servers themselves are all hosted somewhere I believe.  That
makes sense at least. Every server associated with the DNSBL operation is
being attacked.  The provider and it's associated HW is being directly
attacked.  And IIRC I read that one DNSBL maintainer's other non-related
customer-type boxes were being attacked.  It's apparently a no-holds-bar 
event.

> Now... If you have a nice fat pipe, good firewall and load balancing 
> hardware, good IDS systems that prevent all the spoofed packets from 
> entering network, then it would be hard to take down.

Here's part of the problem.  How does the recipient filter a spoofed
packet?  How does you know that the packet really was spoofed?  Really you
don't.  The only reason these "spoofed" attacks are able to flourish is
because there are some of the stupidest sons of bitches imagineable
running ISPs across the world that aren't compotent enough to do basic,
rudimentary egress filtering.  If netadms wouldn't allow traffic to leave 
their network that doesn't claim to be from one of the provider's IPs (or 
customers, yadda yadda) then spoofing simply wouldn't be possible.  Then 
you would have accurate targets to track down.

In this case though I believe most of the attacking hosts aren't actually 
spoofing their traffic.  From what I've heard they are simply compromised 
Windows boxes with open proxies.

> These DDOS attacks are really a threat to the small (but capable) 
> resources out there. It all comes down to money. The DNSBL's don't have 
> big time cash - even though they should by virtue of what they are 
> doing. For example, in SpamAssassin you are only supposed to activate 
> SPAMCOP if you donate to them. In reality, how many people actually 
> follow that honor system.

These particular attacks could easily bring down large installations as 
well.  They can scale very well.  The depend on the fact that few users 
ever apply security updates to their Windows boxes.  Those people alone 
present a staggering number of vulnerable hosts to anyone with the 
ability to write a virus.  Easy prey for fat predators.

I agree, DNSBL projects should receive funding.  At the very least one
would think that large providers would colo DNSBL services for the good PR
if nothing else.  Someday, when I'm rich, I want to set up a nice load
balanced cluster that peers with as many providers as possible and donate
its resources to any and all DNSBLs out there.  Someday.  This is one of
my goals.  Being rich is a requirement of course.

Justin