Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

You're Being DDOSed — What Do You Do? Name and Shame?

Soulskill posted about a year ago | from the stop-drop-and-roll-doesn't-work dept.

Networking 336

badger.foo writes "When you're hit with a DDOS, what do you do? In his most recent column, Peter Hansteen narrates a recent incident that involved a DNS based DDOS against his infrastructure and that of some old friends of his. He ends up asking: should we actively publish or 'name and shame' DDOS participants (or at least their IP addresses)? How about scans that may or may not be preparations for DDOSes to come?"

cancel ×

336 comments

Why name and shame? (3, Funny)

Anonymous Coward | about a year ago | (#42390509)

DDoS the DDoSers, that'll show em!

Re:Why name and shame? (-1, Troll)

gVibe (997166) | about a year and a half ago | (#42391351)

Hey moron...The first D stands for Distributed. Do you know what Distributed means? It means your tiny, single computer connected to the Net won't do crap to another single computer connected to the Net...let alone a 1000 single computers connected to the Net. Anonymous Coward? More like Asinine Coward.

not sure "shame" will have much effect (5, Insightful)

Trepidity (597) | about a year ago | (#42390545)

The vast majority of DDoS participants are infected computers in botnets, and their owners are typically unaware. Will they even notice your naming sufficiently to be ashamed? Maybe if it's a corporation it'd have some effect: publishing that you were hit by a DDoS that included X computers from BigCorp might make BigCorp look bad. But not so much if the botnet is a bunch of random home PCs.

Re:not sure "shame" will have much effect (2)

rtb61 (674572) | about a year ago | (#42390691)

Do your governments legwork for them. Gather evidence and file a complaint with 'ALL' the appropriate regulatory authorities. Sure some will lead overseas to 'somewhat dead ends' but enough complaints with evidence would result in powerful diplomatic pressure to pursue criminal investigation and prosecution. Unless appropriate authorities get a proper measure of the activity they can not respond appropriately. Appropriately here means neither going bat shit insane with sting operations and massive stupid publicity campaigns when targeting particular selective groups or doing nothing at all ie the typical balance, using the motoring analogy of, traffic control.

So upon complaint, collation of evidence, notification of sources of attacks, from the service provider to the end user, with a please explain (you found the problem and fixed it) or allow us direct exploratory investigation (we will check for a problem, set a trap and fix it) or a fine (you were the problem). Of course if individuals were doing more than DDOS protesting playing games et al and involved for example in credit card fraud then real prosecution and criminal penalties should apply.

Re:not sure "shame" will have much effect (0, Troll)

girlintraining (1395911) | about a year and a half ago | (#42391289)

enough complaints with evidence would result in powerful diplomatic pressure to pursue criminal investigation and prosecution.

Diplomatic pressure? Uhh, no. My aunt recently had her car totally destroyed by a vandal; over $10,000 worth of damages. The police didn't even want to come out and wouldn't take a report unless it was over the phone. And this was with some pretty compelling evidence of who'd done it as well. What exactly makes you think it's somehow different when you spam the same information to a large number of people? Law enforcement is not available to people like you; you haven't paid your dues.

Appropriately here means neither going bat shit insane with sting operations and massive stupid publicity campaigns when targeting particular selective groups or doing nothing at all ie the typical balance, using the motoring analogy of, traffic control.

Pirating Britney Spears can net you a larger fine and longer jail term than hacking a bank. Please tell me more about this "typical balance" you speak of.

Of course if individuals were doing more than DDOS protesting playing games et al and involved for example in credit card fraud then real prosecution and criminal penalties should apply.

"real prosecution and criminal penalties" are levied against the politically active far more often and severely than those levied against people who were just trying to make a profit. You may recall the entire Occupy protest movement over the failure of the government to prosecute such individuals, who perpetuated a lot more than just "credit card fraud" against the American public. You might also recall now who's on all the government terror watch lists, in jail, or otherwise convicted of various crimes. I'll give you a hint: Not the multi-billion dollar thieves, but the victims.

Re:not sure "shame" will have much effect (0)

Aighearach (97333) | about a year and a half ago | (#42391343)

Are you sure there isn't anything else you can be wrong about while you're at it?
So many details, all of them absurd and wrong. Get back to your training and stay off the lawn.

Re:not sure "shame" will have much effect (3, Informative)

TheEffigy (2666397) | about a year ago | (#42390699)

How about the service provider connecting those home computers to the net?

Re:not sure "shame" will have much effect (4, Insightful)

tnk1 (899206) | about a year ago | (#42390745)

Not sure we want to encourage providers to start nosing around in their customers' traffic more than they already do.... Just saying.

Re:not sure "shame" will have much effect (2)

Immerman (2627577) | about a year and a half ago | (#42391201)

I'm not sure about that - seems like they already comb through for any information that might help their bottom line, noting at least trivially abnormal behavior such as DDOS participation or email spamming while they're at it and at least notifying the account holder that their system(s) may be compromised would seem to be basic responsible citizenship. Instead it seems to be treated as just more traffic to bring you closer to your data cap and those sweet, sweet overage charges.

Re:not sure "shame" will have much effect (1)

MBCook (132727) | about a year and a half ago | (#42391267)

I understand we don't want them watching what we're buying on Amazon, but isn't part of their responsibility as a network operator to ensure that their network isn't actively harming others?

Re:not sure "shame" will have much effect (0)

Anonymous Coward | about a year and a half ago | (#42391299)

Like "actively harming" media companies by filesharing?

Re:not sure "shame" will have much effect (1)

Anonymous Coward | about a year and a half ago | (#42391331)

My network has become infested in the past and my isp has noticed. Not through packet inspection, but because someone else outside their network noticed the amount of spam / malicious packets coming from their ip and blocked them. That caused them to investigate, which got us blocked and a stern phonecall saying "We will not reconnect you until you find what is wrong". I see that being perfectly fine. DDOSing is the same. Somebody notices your ip causing it, goes to your ISP and they handle it from there. We lost a bit of service but in the end, everybody won.

Re:not sure "shame" will have much effect (2)

Threni (635302) | about a year ago | (#42390823)

Reminds me of a mate who runs a few sites - every few days he gets amusing emails from irate idiots who've received spam from spammer's who've randomly selected his site's email addresses as `reply-to` addresses, threatening to report him to the `internet police` or name and shame him etc. He used to reply to them, but now he's got a bunch of rules to just delete them, amusing as they are.

So yeah, `naming and shaming` the ISP responsible for temporarily allocating a dynamic IP address to some granny who's used some Microsoft browser to access the wrong site and has ended up running a zombie server for an eastern european crime syndicate is as amusing as it is futile.

Re:not sure "shame" will have much effect (2)

Immerman (2627577) | about a year and a half ago | (#42391271)

Is it? We're not talking about site operators being spoofed, we're talking about the service providers that are actually connecting the zombified PCs to the 'net. The ISP knows exactly which account is using which IP address at any given moment, and could at least notify Granny that her computer/network may be compromised and she should run whatever the good free scanning suite du-jour is. Similarly if they note that some private account is suddenly acting as a server sending hundreds or thousands of emails a day. Many/most of these companies are already doing deep packet inspection to throttle economically undesirable traffic, keeping an eye out for the most blatant symptoms of infected user PCs and notifying the account holders should be a trivial addition, it just doesn't put any money in their pocket to do so.

Re:not sure "shame" will have much effect (2)

davydagger (2566757) | about a year and a half ago | (#42391305)

"The vast majority of DDoS participants are infected computers in botnets, and their owners are typically unaware."

This.

Also, you might never really know who's behind it.

Is this a serious question (1)

Anonymous Coward | about a year ago | (#42390559)

He ends up asking: should we actively publish or 'name and shame' DDOS participants (or at least their IP addresses)?

Next up, someone broke into my house; is some stern criticism in order?

Hey, how about you give the evidence to the police?

Yes (1)

Anonymous Coward | about a year ago | (#42390581)

Publish. Shame. Maim. Cripple. What ever it takes to get some measure of satisfaction.

We had this type of DDoS attack. 1 - 2 million requests per hour against a small VPS. Bind wasn't running but it didn't matter; the requests kept coming for weeks. We cloned the VPS so we'd get another IP, switched things over and abandoned the first VPS.

Backups people. Have backups of your code, configs and databases.

No (5, Interesting)

Anonymous Coward | about a year ago | (#42390583)

The only reason you can possibly have for publishing the IP addresses is to provoke vigilante justice type of actions, likely counter ddos or something.
What you should do is report him to the abuse department of his ISP. Note the responses of the ISP's and name and shame the ISP's that do not take action.
IP addresses from bad ISP's should end up on a "botnet-friendly ip list" so we can start blocking the traffic from these isp's.

Re:No (5, Informative)

VortexCortex (1117377) | about a year and a half ago | (#42391629)

Note the responses of the ISP's and name and shame the ISP's that do not take action. IP addresses from bad ISP's should end up on a "botnet-friendly ip list" so we can start blocking the traffic from these isp's.

On a DoS or DDoS (special case of DoS) that's fine. On a reflective DDoS (RDDoS, a special case of both DDoS and DoS) you have a different situation. A denial of service (DoS) is any interruption of service, e.g., by flooding the server with SYN packets. A distributed denial of service (DDoS) is when the attack comes from multiple different places at once, e.g., a single connection may not be enough to take down a server with high bandwidth; However if you coordinate the attack across many different connections then the overall traffic can eclipse even a high bandwidth server. With a DDoS the machines coordinating the attack may or may not belong to the attackers, but it's a good idea to contact the ISPs so that the IP holders can be notified that their systems may be infected with a bot-net -- Although, this may not be the case, as I'll explain later. In a reflective distributed denial of service (RDDoS), the apparent IP addresses may belong to machines that were under the control of any malicious software. Reporting these IPs would be pointless.

When a server receives the first SYN (synchronize) packet of a TCP connection handshake, it replies with a SYN-ACK (acknowledgement & synchronization) to the source IP of the originating packet. Then a ACK is sent to the server to acknowledge the server's synchronization. This verifies both endpoints aren't spoofed. A RDDoS takes advantage of the fact that:
0. The source IP address of the initial SYN packet can be spoofed (the "From" field can be bogus).
1. The server sends a SYN-ACK before the connection endpoints have been verified.
2. The TCP protocol allows several (five) retries of the SYN-ACK packet.

In a RDDoS, a single malicious computer can spoof the "From" IP of a TCP connection, and spray it around to servers on the net. The bogus return IP address is that of the victim system. Thus, legitimate servers will flood the victim's connection with five SYN-ACK packets for each single packet the attacker sends. Thus the victim never has the attacker's IP address. To combat this servers may pro-actively detect an IP that sends too many incomplete TCP connection requests, and block it. However, the attacker can have many IP addresses at their control (see: botnet) limited to just a few packets per hour sent to an entire Internet of servers. None of these infected machines will be revealing their IP addresses when they perform the reflective attack by spoofing the source IPs of their packets. What we need is for ISPs to block packets originating from their network that that don't have correct return IP addresses... Not all ISPs do this.

Now what if the attacker only has a single machine at their control and they perform an RDDoS? Why, the traffic pattern is identical to a DDoS -- Ah, I can hear your gears turning already: Can't the return IP addresses can be checked to see if they're residential IPs, and thus victims of a botnet infection? Yes, but how do you differentiate the non-residential IPs between infected servers and non infected servers? Just assume that the non-residential IPs aren't intentionally malicious? Yes, indeed, which is why RDDoS is a popular form of network DoS.

I reiterate: What we need is for ISPs to block packets originating from their network that that don't have correct return IP addresses; Thus, spoofed packets are dropped at the source. You'd think with deep packet inspection now available this shallow packet inspection would be broadly adopted -- Ah, but this is electrons spent that don't directly benefit profits. IPsec [wikipedia.org] was once a requirement of IPv6 adoption, and would defeat endpoint spoofing, however IPSec has been made optional for IPv6, so we can expect the RDDoS attacks to continue for quite some time.

Fight back, it's easy. (2, Funny)

Anonymous Coward | about a year ago | (#42390595)

Easy, you post the name of the attacker on Slashdot in an article about a new supercool anything and have him slashdotted.

Re:Fight back, it's easy. (2)

Soluzar (1957050) | about a year ago | (#42390861)

Do sites still get slashdotted? I thought these days this place doesn't drive enough traffic for that. Could be mistaken.

One more notch down to hell (0)

Jetra (2622687) | about a year ago | (#42390609)

Seems that 2013 is going to be the Year of Shame. Since politicians can't pass the bills they want, they're instead using data against us. *Clapping* Great job, now we can't fight back because all our base belongs to them.

Re:One more notch down to hell (0)

Anonymous Coward | about a year ago | (#42390761)

Not true! They don't have all our health care data yet!

That's next year.

do something useful instead (1, Insightful)

swschrad (312009) | about a year ago | (#42390615)

contact the ISPs involved, tell them they yank the bad boys' service or you will blackhole them.

Re:do something useful instead (0)

Anonymous Coward | about a year and a half ago | (#42391011)

read the fucking article, he did that. I need to stop reading comments on here, gone the way of Reddit. Insightful as my arsehole.

Re:do something useful instead (1)

gVibe (997166) | about a year and a half ago | (#42391323)

NOT INSIGHTFUL!! Geez, who is modding these posts? Really? Tell the ISP to yank literally 1000's of connections. And just how do you intend on black holing an ISP? Your minute little single internet connection isn't going to make a ripple on an ISP with a strongly connected backbone.

Re:do something useful instead (4, Interesting)

Gumbercules!! (1158841) | about a year and a half ago | (#42391409)

We got DDOS'd a while ago in our data centre. It turns out an ex employee we let go (performance related) paid (yes, actually paid) some people in German (we're in Australia) to fire off a DDOS against our servers from where ever their bots were.. Our upstream net provider blocked it for us. Yes: 1000's of IPs - because they used ICMP flooding - so they blocked ICMP traffic to us, upstream. Something we couldn't do ourselves but the ISP could do for us.

So it's not such a stupid suggestion at all. Of course, had they all launched port 80 TCP connections against us, yes, we would have been in serious trouble but I suppose we could have asked them to block non-Australian traffic for the day or until it stopped - overseas traffic is really not a big deal for us.

And for the record, the guy who kicked the whole thing off, we didn't bother to press charges, even though he bragged about it on Facebook (without first unfriending me, the idiot) because, thanks to the ISP, his efforts largely failed and we got some revenge when he tried to use us as a reference (and we were his only employers, so far).

Urrrr, you sure those addresses are right? (1)

Anonymous Coward | about a year ago | (#42390623)

Spoofing is more than trivial, and anyone but the dumbest do this to cover their tracks and keep law enforcement back-tracking from a botnet node back to the perp.

Better to track the traffic back over the 'net (using CEF-forwarding tables or ACL etc.) with the help of the relevant ISPs.

If the end ISP isn't helpful, shame them and their upstream peers.

Dom

Re:Urrrr, you sure those addresses are right? (0)

Anonymous Coward | about a year and a half ago | (#42391119)

Not everything can be spoofed easily.

Two problems with that (5, Interesting)

stevegee58 (1179505) | about a year ago | (#42390637)

1) It's DISTRIBUTED. You'd have to name and shame thousands.
2) Many of the DDOS nodes don't know they're being hijacked for a DDOS. Name and shame an innocent person?

Not innocent (2, Insightful)

ElusiveJoe (1716808) | about a year ago | (#42390751)

Many of the DDOS nodes don't know they're being hijacked for a DDOS. Name and shame an innocent person?

They are NOT innocent. They let their computers be used in stealing, censorship, blackmailing, spam and other evil stuff. It doesn't matter if it is stupidity, ignorance or malicious intent.

If your car keeps hitting other cars you should hand over your license.

Re:Not innocent (1)

Phyrexia (55710) | about a year ago | (#42390795)

Someone remotely hijacks your driverless automobile. They drive it into a coffeeshop. Are you to blame?

Re:Not innocent (0)

Anonymous Coward | about a year ago | (#42390819)

Someone remotely hijacks your driverless automobile. They drive it into a coffeeshop. Are you to blame?

No, you're not to blame, but you're certainly responsible for correcting the deficiencies in your automobile's access/security systems or taking it out of service.

Re:Not innocent (0)

Anonymous Coward | about a year and a half ago | (#42391077)

Yes, because you left it in drive and the parking brake off.

Seriously? I hope you were taught in driving school to at least put on your parking brake. Even driverless vehicles have these safety features.

Re:Not innocent (1)

Lisias (447563) | about a year and a half ago | (#42391321)

Someone remotely hijacks your driverless automobile. They drive it into a coffeeshop. Are you to blame?

YES.

You are responsible for keeping your car under legal and technical correct operation.

Oh, you car has a manufacturing defect? Sue the manufacturer for damages in order do compensate you for the money you lost due this defect.

Re:Not innocent (0)

Anonymous Coward | about a year and a half ago | (#42391387)

So we can all sue Microsoft for a defective (porous) OS? Yay, sign me up!

Re:Not innocent (1)

Anonymous Coward | about a year ago | (#42390807)

Many of the DDOS nodes don't know they're being hijacked for a DDOS. Name and shame an innocent person?

They are NOT innocent. They let their computers be used in stealing, censorship, blackmailing, spam and other evil stuff. It doesn't matter if it is stupidity, ignorance or malicious intent.

If your car keeps hitting other cars you should hand over your license.

Nice analogy, If someone steals my car and then runes into someone I should totally lose my license.

Re:Not innocent (1, Informative)

duk242 (1412949) | about a year ago | (#42390859)

Someone steals your car every night and drives it around, you're not aware of the problem, however someone sees people driving your car and throwing shit at people and lets the police know. The police then pass on the information to you saying "Why is your car out there throwing shit at people at night?"

It is up to you to make sure that your car is properly locked and secured at night, so people can't steal it and take it for joyrides.

Is that a better analogy?

Re:Not innocent (0)

Black Parrot (19622) | about a year and a half ago | (#42391117)

Someone steals your car every night and drives it around, you're not aware of the problem, however someone sees people driving your car and throwing shit at people and lets the police know. The police then pass on the information to you saying "Why is your car out there throwing shit at people at night?"

It is up to you to make sure that your car is properly locked and secured at night, so people can't steal it and take it for joyrides.

Is that a better analogy?

Could you explain that with a car analogy?

Re:Not innocent (0)

Anonymous Coward | about a year and a half ago | (#42391137)

If someone runes it into something you have a viking problem, not a car problem.

Re:Not innocent (1)

arisvega (1414195) | about a year and a half ago | (#42391511)

If someone runes it into something you have a viking problem, not a car problem.

If someone runes it, then the problem is dwarfed.

Re:Not innocent (2)

number17 (952777) | about a year and a half ago | (#42391045)

You are being ridiculous. This is like somebody smashing your window, hot wiring the car, and then hitting other cars with it. The standard locking mechanisms are good enough to keep the ordinary criminal at bay. Sure you can put immobilizes or wheel locks on the car but those aren't yet standard. If its something that happens repeatedly to you then start looking into more secure prevention methods.

Re:Not innocent (1)

Immerman (2627577) | about a year and a half ago | (#42391339)

Correction - the ordinary locking mechanisms are good enough to keep basically honest folk from temptation and make opportunistic crimes a little more difficult. Anyone with even the most basic lockpicking skill can open 90% of mechanical locks in less than a minute, and picking the lock is usually one of the most difficult ways to gain entry, you only do it if you don't want your entry to be obvious.

Re:Not innocent (1)

nnet (20306) | about a year and a half ago | (#42391239)

Excellent. Internet usage should be a licensed privilege.

Re:Two problems with that (1)

tnk1 (899206) | about a year ago | (#42390773)

Not to mention pointless.

Me: Mom, your name is on a list of DDOS spammers?

Mom: Is that bad?

Re:Two problems with that (0)

Anonymous Coward | about a year and a half ago | (#42391397)

Bots = Internet Assault Rifle. Bad?
Security = Responsible Netizen. Good!
A tiny bit of knowledge to fight ignorance: Priceless.

Re:Two problems with that (1)

Desler (1608317) | about a year ago | (#42390839)

3) Spoofing an address is extremely easy.

Re:Two problems with that (1)

Anonymous Coward | about a year ago | (#42390909)

Name and shame an innocent person?

Then they are not innocent. If you want to run a node on the internet, a worldwide shared resource, you are responsibile for not abusing that resource. If you are unable or unwilling to do that, then your ISP should disconnect you until that time when you are able and willing.

Home computers are what, nearly 40 years old, plus or minus? The MITS Altair came out in 1975. The Internet is even older. It's time to learn how to use a computer. We don't permit people unwilling to learn to drive to use the roads, because it ruins the shared resource for the rest. Why should we allow millions who are unwilling to learn how to use a computer sufficiently to avoid ending up in a botnet to use the internet?

Re:Two problems with that (1)

gVibe (997166) | about a year and a half ago | (#42391301)

Not interesting --- INSIGHTFUL!!! When someone speaks the truth, the moderator needs to put the proper mod for them. +5 for stevegee58

Re:Two problems with that (1)

Cheviot (248921) | about a year and a half ago | (#42391419)

If they're not protecting their computers they are far from innocent.

Yes name and shame will work! (2, Insightful)

Anonymous Coward | about a year ago | (#42390653)

You're being 'ddosed' from thousands of different IPs - list them all!

Who cares if they're compromised computers - naming them will surely shame the botnet owners into submission!

Was this question asked by an idiot?

 

Re:Yes name and shame will work! (1)

ElusiveJoe (1716808) | about a year ago | (#42390775)

Who cares if they're compromised computers

I don't. Why should I?

Re:Yes name and shame will work! (0)

Anonymous Coward | about a year ago | (#42390811)

Was this question asked by an idiot?

It's probably the guy who was asking about what applications are suitable for a six month old child.

So, yes.

Re:Yes name and shame will work! (1)

ohnocitizen (1951674) | about a year ago | (#42390905)

Why is this marked insightful? If the botnet owners had broken into people's homes and physically stolen the computers they then used for the ddos, instead of merely hijacking them, should the victims of those thefts be reported as criminals?

Re:Yes name and shame will work! (1)

Xugumad (39311) | about a year ago | (#42390957)

Erm, I'm fairly certain they were being sarcastic...

Re:Yes name and shame will work! (0)

Anonymous Coward | about a year and a half ago | (#42391505)

Your filewall, and a bit of doc processing could easily list all the offending IPs,
and resolve their names.

No one cares if they are compromised, just as no one cares who
made the ammo.

This question was asked by an idiot.
( my firewall says 60% .cn 20% .nl 15% .rc 5% .us etc...)

Let's see if this works (0, Troll)

erroneus (253617) | about a year ago | (#42390715)

There is a person who frequents here, famous for using hosts files as a security something or other some-such. [ashentech.com] I had gone for quite some time without having to see or hear from him but apparently has come back.

Apparently, he has been published and is therefore a celebrity or something like that. Anyway, he has a bizarre set of problems which include replying to his own posts pretending to be someone else, assertions that he had "blown away," "burned," "destroyed" or any other such juveline taunt. He apparently believes I and others are "Jorge Bastida" whoever that may be. His mental deficiencies are his reality and therefore he projects his notion of what normal healthy behavior is upon everyone else. He therefore believes multiple people are all one and has little to do than sit here and and attempt to belittle and berate them with commentary.

Of course his problems with reality extend into the realm of believing things which aren't "quite right." I attempted to point out that this sort of behavior is archived for, so far, "ever" on slashdot and that any searches for anything he might have written could be found by anyone including and especially [potential] employers. With all the stories about how government and employers use social networking (which slashdot nearly qualifies as being) I would think this would be obvious but pointing out the obvious is apparently blackmail. (please grow up... please... prove it by not responding to this!)

So with this, I lay shame and I believe I don't need to name. Will it work?

Re:Let's see if this works (0, Funny)

Anonymous Coward | about a year ago | (#42390817)

Jorge, you can name me all you want, but there is no shame is using a hosts file to block DDoS Packets. I have a foolproof list that blows away your arguments.

P.S.=> There's other methods also, via native to OS tools for network-wide propogation of fresh clean updated hosts files that program yields IF you only installed it on a "central server" for clean hosts for all nodes/workstations/servers:

I.E.-> Centrally managed hosts files? Easy as pie via logons scripts, or parse of autoexec in Windows @ bootup via GPEdit & group policies company-wide!

OR

Using taskscheduler on each workstation/server node periodically

P.P.S.=> Of course, your HOSTS file will need to have the domain/hosts name of the C&C servers, & that you have to obtain for this to work vs. threats like bogus servers &/or maliciously scripted sites. Here's some good sources for that above & beyond mvps.org (I noted them above):

http://hosts-file.net/?s=Download [hosts-file.net]
http://www.malwaredomainlist.com/hostslist/hosts.txt [malwaredomainlist.com]
http://mirror1.malwaredomains.com/files/ [malwaredomains.com] (justdomains here)
http://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext [yoyo.org]
http://sysctl.org/cameleon/hosts [sysctl.org]
http://someonewhocares.org/hosts/ [someonewhocares.org]
http://hostsfile.org/hosts.html [hostsfile.org]
http://hostsfile.mine.nu/downloads/ [hostsfile.mine.nu]
https://zeustracker.abuse.ch/monitor.php?filter=lastupdated [abuse.ch]
https://spyeyetracker.abuse.ch/monitor.php?filter=lastupdated [abuse.ch]
http://www.apkgoatsestylepersonalpics.com/hostsfiles.htm [apkgoatses...alpics.com]
http://www.malwareurl.com/ [malwareurl.com]
http://www.safer-networking.org/en/download/ [safer-networking.org] (updater for Spybot "Search & Destroy" & it fortifies HOSTS files)

Those are some of my regular sources that are reputable & reliable for custom HOSTS file data populations vs. known threats online - I consolidate them here via programs I wrote that normalize/deduplicate repeated entries, sort/alphabetize the results, & change from larger + slower 127.0.0.1 (longer & loopback ops happen here) to the faster & smaller 0.0.0.0 (or even 0 on Windows 2000/XP/Server 2003): Enjoy!

... apk

P.P.P.P.S.=> There you go... it all works, GUI easily from my app, all the way out to any endpoint PC/Server on a LAN/WAN even... often as you like & CLEAN/FRESH too!

P.P.P.P.P.S=> It's good "layered-security"/"defense-in-depth" & does things AdBlock, DNS, & even firewalls can't (like speed up access to fav. sites + make them reliable in the event of DNS poisoning redirects or being "downed" even...) & gets P.P.P.P.P.P.S.=> back SPEED/BANDWIDTH users pay for out of pocket along with their POWER BILL too...

P.P.P.P.P.P.P.S.=> I skipped P.P.P.S=>

Re:Let's see if this works (0)

Sardaukar86 (850333) | about a year and a half ago | (#42391337)

Wow, you like, totally blew him away! You shot his arse right out of the sky! Wow, like, like, like, totally down in flames! Mad props to you!

Another sad victim of the awesome literary skills and technical might of the one-solutions-fits-all APK troll!

Re:Let's see if this works (1)

Black Parrot (19622) | about a year and a half ago | (#42391133)

There is a person who frequents here, famous for using hosts files as a security something or other some-such. [ashentech.com] I had gone for quite some time without having to see or hear from him but apparently has come back.

Apparently, he has been published and is therefore a celebrity or something like that. Anyway, he has a bizarre set of problems which include replying to his own posts pretending to be someone else, assertions that he had "blown away," "burned," "destroyed" or any other such juveline taunt. He apparently believes I and others are "Jorge Bastida" whoever that may be. His mental deficiencies are his reality and therefore he projects his notion of what normal healthy behavior is upon everyone else. He therefore believes multiple people are all one and has little to do than sit here and and attempt to belittle and berate them with commentary.

Of course his problems with reality extend into the realm of believing things which aren't "quite right." I attempted to point out that this sort of behavior is archived for, so far, "ever" on slashdot and that any searches for anything he might have written could be found by anyone including and especially [potential] employers. With all the stories about how government and employers use social networking (which slashdot nearly qualifies as being) I would think this would be obvious but pointing out the obvious is apparently blackmail. (please grow up... please... prove it by not responding to this!)

So with this, I lay shame and I believe I don't need to name. Will it work?

Let us know how it turns out, Jorge.

A violation of federal law (1)

Eravnrekaree (467752) | about a year ago | (#42390723)

DDOS is a violation of federal law and should not be tolerated. If it is a botnet, whoever is running such a botnet is in violation of federal law.

ooh! I can call the sheriff! (1)

swschrad (312009) | about a year ago | (#42390881)

who will say, "uh, what? if you got a dose from somebody, you want public health."

Re:A violation of federal law (0)

Anonymous Coward | about a year and a half ago | (#42391027)

Ruskromanistanis aren't subject to US law. One of the best things about the Internet is that everything is connected to everything else. It's also one of the worst things about the Internet.

Re:A violation of federal law (0)

Anonymous Coward | about a year and a half ago | (#42391113)

in violation of federal law.

Which means *nothing* beyond the border.
Obviously some international laws will be involved most of the time.

Now considering how many nations are connected to the net, the internet being rather new-fangled stuff (it takes time for laws/lawyers to catch up to new technologies) and how hard it is to get people to agree to something that complicated... ... you're pretty much guaranteed not to see a legal solution to your satisfaction within your life time.

Re:A violation of federal law (1)

gVibe (997166) | about a year and a half ago | (#42391367)

I thought there was an age limit requirement for posting to Slashdot....yeah like that could be enforced. But its clear that some of the replies on this story alone are being done by children who have no fucking clue what they are talking about.

It's a first step (4, Interesting)

bill_mcgonigle (4333) | about a year ago | (#42390725)

Eventually we should have a reputation-based distributed admin function for the Internet. If a dozen high-rated NetOps guys all sign messages that say that a given IP is spewing DDoS traffic, the infrastructure should permit a block without the owning admin having to deal with it proactively.

If a network doesn't participate, that could play into trust levels. If an admin screws up, he loses reputation. If an admin tends to advertise YouTube routes into Pakistan, he never gets a good reputation in the first place.

As usual, it's all trade-offs and we don't yet have an extensible crypto-reputation system, so one thing at a time.

To the original question - it's probably not going to do much good, but it's good to cultivate such expectations.

Re:It's a first step (4, Insightful)

symbolset (646467) | about a year ago | (#42390949)

Censoring the Internet is never the right answer.

Re:It's a first step (0)

Anonymous Coward | about a year and a half ago | (#42391395)

Damn, I spent all of my mod points.

Re:It's a first step (0)

Anonymous Coward | about a year and a half ago | (#42391091)

ISPs and countries don't like technology that messes with their network sovereignty and avoid them. Governments would look at private efforts as a cabal or anti-trust. Internet superheroes have houses and families like most others, and the liability against them could be too great to put too much control in a central authority.

Re:It's a first step (1)

pepsikid (2226416) | about a year and a half ago | (#42391365)

We don't need a full-blown "reputation" system, as flawed as that will undoubtedly be. It literally takes nothing to get on an email blacklist, and these systems are rampant with abuse. All that is important is to have a trusted third party to receive DDOS reports and independently verify them, and a cooperative admin (or automated system) at the ISP of the attacker who will promptly block his own network's outgoing traffic *to* the victim for a reasonable time. This will throttle down the DDOS attack, making such attacks ineffective. This will expose and map out botnets the moment they go live. There will be no collateral damage or customers helplessly complaining about being blocked, because the *victim* is requesting to be blocked.

If you're running Windows (or not)? Do this (0)

Anonymous Coward | about a year ago | (#42390741)

Investing in one of THESE is a big help:

http://www.google.com/search?sclient=psy-ab&hl=en&site=&source=hp&q=%22DDos+Appliance%22&btnG=Search&gbv=1&sei=KYw7UI-4FsXs6wH3uIDoDw [google.com]

Because DDoS/DoS CAN be stopped (Microsoft & Amazon are setup PERFECTLY vs. it in fact, read on below on that note). IF you're running Windows, per my subject-line above? Do these registry hacks/settings:

---

Protect Against SYN Attacks

FROM -> http://msdn.microsoft.com/en-us/library/ff648853.aspx [microsoft.com]

A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism. To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing network connections.

To protect the network against SYN attacks, follow these generalized steps, explained later in this document:

Enable SYN attack protection
Set SYN protection thresholds
Set additional protections
Enable SYN Attack Protection

The named value to enable SYN attack protection is located beneath the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.

Value name: SynAttackProtect

Recommended value: 2

Valid values: 0, 1, 2

Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.
Set SYN Protection Thresholds

The following values determine the thresholds for which SYN protection is triggered. All of the keys and values in this section are under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

These keys and values are:

Value name: TcpMaxPortsExhausted

Recommended value: 5

Valid values: 0?65535

Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

Value name: TcpMaxHalfOpen

Recommended value data: 500

Valid values: 100?65535

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.

Value name: TcpMaxHalfOpenRetried

Recommended value data: 400

Valid values: 80?65535

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded, SYN flood protection is triggered.

Set Additional Protections

All the keys and values in this section are located under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters. These keys and values are:

Value name: TcpMaxConnectResponseRetransmissions

Recommended value data: 2

Valid values: 0?255

Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.

Value name: TcpMaxDataRetransmissions

Recommended value data: 2

Valid values: 0?65535

Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.

Value name: EnablePMTUDiscovery

Recommended value data: 0

Valid values: 0, 1

Description: Setting this value to 1 (the default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation, which overworks the stack.

Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.

Value name: KeepAliveTime

Recommended value data: 300000

Valid values: 80?4294967295

Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.

---

Lastly, of course, there IS the "null-route" option (you need to have a network with multiple IP addresses though) noted here:

http://en.wikipedia.org/wiki/Null_route [wikipedia.org]

The route command can do the job, to "blackhole" attackers... & drop their attacking packets.

---

* Hope that helps...

APK

P.S.=> Microsoft &/or Amazon - they have such TREMENDOUSLY POWERFUL setups for monitoring + alerting them to DoS/DDoS, they can start "shutting down" IP address sources of packets for DDoS easily, & way, Way, WAY before it's time to "panic" - it's the reason WHY "Anonymous" & the like can't "take them down" (& yes, they HAVE tried)...

For some material on what they do? See here (MS):

---

Microsoft: We're not vulnerable to DDoS attacks

http://www.networkworld.com/community/blog/microsoft-were-not-vulnerable-ddos-attacks [networkworld.com]

PERTINENT QUOTE/EXCERPT:

"At Microsoft we have robust mechanisms to ensure we don't have unpatched servers. We have training for staff so they know how to be secure and be wise to social engineering. We have massively overbuilt our internet capacity, this protects us against DoS attacks. We won't notice until the data column gets to 2GB/s, and even then we won't sweat until it reaches 5GB/s. Even then we have edge protection to shun addresses that we suspect of being malicious."

---

&/or

Why attackers can't take down Amazon.com:

http://money.cnn.com/2010/12/09/technology/amazon_wikileaks_attack/ [cnn.com]

PERTINENT QUOTE/EXCERPT:

"So Amazon (AMZN, Fortune 500) has spent years creating and refining an "elastic" infrastructure, called EC2, designed to automatically scale to handle giant traffic spikes... But Amazon's entire business model is built around handling intense traffic spikes. The holiday shopping season essentially is a month-long DDoS attack on Amazon's servers -- so the company has spent lavishly to fortify itself."

---

Hope the read helps those of you dealing with DDoS/DoS attacks on others...

... apk

Re:If you're running Windows (or not)? Do this (1)

CBravo (35450) | about a year ago | (#42390805)

And what do you do when all your 10GB fibers are saturated? Nothing an apparatus will solve.

Re:If you're running Windows (or not)? Do this (0)

Anonymous Coward | about a year ago | (#42390837)

Ha! The jokes on you. My GB fibers go up to 11!

Re:If you're running Windows (or not)? Do this (0)

Anonymous Coward | about a year ago | (#42390883)

P.P.P.P. Hat=> They totally do.

Read the rest of it (especially my 'p.s.')... apk (-1)

Anonymous Coward | about a year ago | (#42390907)

See what Amazon &/or MS do (costs bucks, but IS "doable").

* I also listed things that a Windows system CAN do that help mitigate the effects of these attacks...

(Of course, there IS the 'slow & stodgy' method of using the route command... but manually, vs. 1,000's of potential 'hitters' would have to be automated into a script, or program - NOT that "tough to do" with a list of the attackers though... not really!)

APK

P.S.=> In any event? You STOP THE ATTACKS well before the mark you're talking with those methods...

Since, after all, like I stated above?

Amazon &/or Microsoft pretty much can, & actually DO, vs. such things (amazon's setup for that, but not directly - it was MORE for being "proof" to "holiday shopping 'rushes'" but it works out the same for them, vs. DoS/DDoS too - "bonus!")...

... apk

Re:Read the rest of it (especially my 'p.s.')... a (1)

Sardaukar86 (850333) | about a year and a half ago | (#42391355)

If you actually had a clue about this stuff you wouldn't need to re-post your drivel time and again.

If YOU actually HAD a "clue" @ all? (-1)

Anonymous Coward | about a year and a half ago | (#42391603)

You'd realize that *trying* to "take me on" results in "FAILS" from you, vs. myself - Numerous Proofs/Examples thereof? Ok:

---

HOSTS FILES VALUE #1 of 3 -> http://news.slashdot.org/comments.pl?sid=2579684&cid=38415774 [slashdot.org]

(Where "the best you had" was profanity, but you did not disprove my points on custom hosts files' value to end users of them for a plethora of valuable things)

HOSTS FILES VALUE #2 of 3 -> http://news.slashdot.org/comments.pl?sid=2579684&cid=38412576 [slashdot.org]

(Same as above albeit, the source of what Sardaukar86 failed in disproving vs. myself... lol!)

HOSTS FILES VALUE #3 of 3 -> http://news.slashdot.org/comments.pl?sid=2579684&cid=38415774 [slashdot.org]

(Same again, diff. view of your "ReAcTiOn" when you FAIL).

---

Sardaukar86 - BLOWN AWAY vs. my upward mod list -> http://yro.slashdot.org/comments.pl?sid=2741535&cid=39525081 [slashdot.org]

(Vs. Sardaukar86's comments of "if anyone cared" about what I write here? Well - 100's of upward mods made you "eat your words"... you couldn't ARGUE WITH THE NUMBERS, that outnumbered your 'opinion' by MANY orders of magnitude... lol!)

---

The last 1 especially?

Well, I have a QUESTION for you:

---

What does it taste like, "eating your own words" FLAVORED with 'the bitter taste of SELF-defeat', spiced with the taste of your FOOT IN YOUR MOUTH?

---

(ROTFLMAO!)

* Yes, it appears I was correct that you were just being facetious here in your other comment to me -> http://tech.slashdot.org/comments.pl?sid=3339513&cid=42391405 [slashdot.org]

Those links above??

Man - I really, REALLY must have "gotten to you" by dusting you SO easily in each one, that you 'keep it up' even now on Christmas...

However - you only did it, to yourself!

Hence your repeated often profane, off-topic illogical FAILED attempts @ ad hominem attacks on myself!

(All you had left vs. facts you cannot disprove - everytime! Now, THAT is funny... but consistent, from you, vs. myself!).

* Learn by your mistakes shown above @ least... lol!

APK

P.S.=> In a way, I understand WHY you did that & this comment - you need to get over your "geek angst" (since you often resort to profanity & other forms of illogical off-topic ad hominem attacks, shown in THESE links, when you "FAIL"):

---

Sardaukar86 profanity "FoaMiNg-@-The-MouTh" priceless "ReAcTioN" #1 -> http://news.slashdot.org/comments.pl?sid=2579684&cid=38414922 [slashdot.org]

Sardaukar86 profanity "FoaMiNg-@-The-MouTh" priceless "ReAcTioN" #2 -> http://news.slashdot.org/comments.pl?sid=2579684&cid=38414888 [slashdot.org]

Sardaukar86 off-topic illogical failed ad hominem attack attempt -> http://news.slashdot.org/comments.pl?sid=2579684&cid=38414906 [slashdot.org]

---

Please - do yourself, & the rest of us a GIANT FAVOR since it's Christmas:

Realize that the "trolling likes of YOU"? Are just plain NOT IN MY LEAGUE (& you never will be, troll - see links above as "proof thereof")...

... apk

Re:If you're running Windows (or not)? Do this (1)

Black Parrot (19622) | about a year and a half ago | (#42391167)

And what do you do when all your 10GB fibers are saturated?

If his post didn't saturate his link, he's probably safe against DDOS.

Re:If you're running Windows (or not)? Do this (0)

Anonymous Coward | about a year and a half ago | (#42391195)

Read the entire post you replied to. Amazon/MS do it http://tech.slashdot.org/comments.pl?sid=3339513&cid=42390907 [slashdot.org]

Re:If you're running Windows (or not)? Do this (1)

Sardaukar86 (850333) | about a year and a half ago | (#42391349)

Thank God you so kindly reproduced your fantastic advice here or I might never have seen it!

Thank-You (I *think*)... apk (0)

Anonymous Coward | about a year and a half ago | (#42391405)

All I know is, it works & is entirely 'doable'. Amazon & MS do it -> http://tech.slashdot.org/comments.pl?sid=3339513&cid=42390741 [slashdot.org]

* You know, though you & I have "had our differences" here in the past? I was PRETTY SURE you had this level of 'know-how' down...

(In that case - you're probably just being 'facetious', & that's ok too... it's Christmas!)

APK

P.S.=> Nice part is - It gave me an idea to automate the route command's functionality too actually (first in a shell/spawn to test, & then to actually reproduce it via the Win32/64 API directly), into a loop-thru-list of attackers, to null route them.

(E.G./I.E.-> 1st acquire the attacking IP addresses, even if by the 1,000's from say, router logs, of course - so you can 'blackhole route/nullroute' them, enmasse)...

That wouldn't be "tremendously hard to do", not really... & since it isn't?

I am of the opinion that others probably HAVE DONE SO, via scripting languages like Python, for example, since there truly is VERY LITTLE "original thought" & this is PRETTY OBVIOUS actually, as to automating it vs. DoS/DDoS attacks!

(I can see admins using scripts for it, architected PRETTY MUCH like I just laid out, & Python makes things very easy for network admins & isn't as difficult as doing GUI work in languages like C/C++/Delphi etc.-et al, even if done in RAD environs)

... apk

Plausible deniability (0)

Anonymous Coward | about a year ago | (#42390753)

I keep an old pc in my dmz that is running unpatched windows xp just because of botnets...

Give all the IP's to the RIAA (4, Funny)

toygeek (473120) | about a year ago | (#42390757)

Make up some story about how you tracked down a huge network of movie pirates.

Turn off servers and go to the pub (0)

Anonymous Coward | about a year ago | (#42390759)

Turn back on when the attack has ceased. Simples!

Simple.... (0)

Anonymous Coward | about a year ago | (#42390841)

You switch to your backup Internet connection and disconnect the first one. let them DDOS the dead IP address while I continue to laugh at them on 4chan. "Haha you losers are not DDOSing me but some poor sap. What n00bs all of you are"

Works great, they all go way overboard at the foaming of the mouth when they realize they are all anklebiter n00b wannabes.

Re:Simple.... (2)

Firehed (942385) | about a year and a half ago | (#42391235)

And how are your website's users supposed to reach you in the meantime? As soon as you switch your DNS to point to the new servers, the DDOS follows. Try again.

If anyone's found a solution better (or more cost-effective) than Prolexic or a similar DDOS-prevention service, do let me know. That's some crazy-stupid protection money we're paying out, but it has proven effective.

Re:Simple.... (0)

Anonymous Coward | about a year and a half ago | (#42391613)

He already said he goes to 4chan, he doesn't do anything useful with his computer. His backup internet connection is just so he can get to the porn if 1 ISP is down.

A more detailed proposal ... (5, Interesting)

Frater 219 (1455) | about a year ago | (#42390849)

Sites under DoS attack should publish (through a channel not congested by the attack) a list of the IP addresses attacking them, through some trustworthy third party. Then, other sites should subscribe to that list and refuse service to those addresses until they clean up and stop attacking.

For instance, consider your uncle who uses AOL. His computer is infected with botnet garbage and is participating in a DoS attack against (say) Slashdot. Slashdot sends a list of attacking IPs, including your uncle's, to Team Cymru (the third party). Cymru aggregates these and publishes a list, updated every three hours. AOL subscribes to that list. When your uncle goes to check his AOL email, he gets an error: "We regret to inform you, your computer has been hacked, and is being used by criminals to break the Internet. You can't get to your AOL email until you kick the criminals off by installing an antivirus program and running a full scan. Click here to install Kaspersky Antivirus for free. Thank you for helping keep criminals from breaking everyone's Internet. Sincerely, Tim Armstrong, CEO, AOL."

Then your uncle gets mad and calls up AOL and complains. They try walking him through using the antivirus program, but he just curses them out and says he'll go to Hotmail instead. He tries ... but Hotmail also subscribes to the same list and tells him the same thing: "Your computer is infected with malware and is being used to attack other sites on the Internet. You cannot obtain a Hotmail account until your computer is clean. Click here to install Microsoft Antivirus." He gives up and calls AOL back, and they help him get his computer cleaned up. Within half an hour, it's off the botnet; and within three hours, it's off the list of attacking hosts, and your uncle can get his AOL email again.

Re:A more detailed proposal ... (0)

Anonymous Coward | about a year and a half ago | (#42391219)

Wouldnt it be more effective to also standardize the process for ddos victims contacting ISPs and getting them to filter the offending packets ?

I.e. an automated way of requesting that packets sent from certain customers to their subnet get dropped for a period of time ?
Just dropping 75% of the offending packets for 20 minutes would make it a lot more expensive to perform an attack.

Maybe such a system could be used to push DNSSEC, by using the same infrastructure to verify block requests.
Would there be any obviously exploitable flaw in such a scheme, if such requests were tied to signed DNS records ?

Re:A more detailed proposal ... (1)

pepsikid (2226416) | about a year and a half ago | (#42391315)

Wow, I'm glad you liked my idea I posted above, earlier. However, you shouldn't be blocking anyone's IP address *except* for the victim, as blocking the alleged offender simply begs to be abused in the same way as email blacklists. The system should provide the victim with a means to request temporary protection.

The "We regret to inform you... click here..." won't work though, since it would become what the next round of trojan installers look like.

Re:A more detailed proposal ... (1)

Zedrick (764028) | about a year and a half ago | (#42391575)

There should be a list of ISP's/hosts that doesn't do anything about it. We (my hosting company) usually get DDoSed by turkish IP's from Turk Telecom a couple of times a month, because of random Kurdish websites their customers don't like. I report them all to to the turktelecom abuse address, but it doesn't seem to help much. (the blocked IP's keep trying)

Last couple of weeks some of our customers (using outdated Joomla-installations with security holes) were used for a DDoS against Bank of America. I shut them down as soon as I got the abusemails. And I don't think we should be punished since we can't be held responsible for customers who thinks it's a good idea to use Joomla-installations with wide-open security holes if we do something about it as soon as we get the abuse reports.

I *think* AOL are one of the good guys in this case, I can't remember seeing any DDoS or spamcampaign from their network going on for a long period of time.

Central Clearinghouse for DDOS origin IPs (1)

pepsikid (2226416) | about a year ago | (#42390873)

The idea of voluntary email blackhole lists could be adapted here. Victims of DDOS could submit lists of IP addresses that are attacking, to a central clearinghouse, which will analyze the attack pattern in order to determine the most efficient response. The clearinghouse would verify and document which groups of IPs are part of a particular attack in progress, and notify the relevant ISPs in real time. These ISPs would respond by blocking outgoing access to the victim from their network for a time. Whenever possible, they could later contact the offending customer to help them eliminate the bot infection. Botnets could be mapped out instantly, and in great detail. DDOS attacks could be significantly throttled down after just a few minutes. If enough ISPs participated, DDOSers would be left with just the crummy little ISPs to use that don't give a toot. Regrettably, this system could also be used to illuminate any legitimate activity that governments and ISPs frown upon, and the central clearinghouse itself needs to be somehow immune to DDOS attacks.

contributing to dns ddos (1)

Anonymous Coward | about a year ago | (#42390877)

Learn more about how open recursive nameservers help enable DNS amplification attacks. A good analogy for open recursive nameservers are the open mail relays of the late 1990's. Someone puts a resource on the internet without locking them down nor caring who (ab)uses them. UDP was fun when the internet was more trustworthy. Now it is the bane of network abuse. It's not just DNS. SNMP is also a frequent attack amplifier that anonymizes the true attack source. The only ones worth naming and shaming are cost-shifting ISPs that don't yet implement SAC004 (aka BCP 38). The lack of source address filtering is what enables anonymous forged UDP attacks to be successful.

If your ISP or Colo provider operates an open recursive nameserver, ask them why. It's no longer acceptable to be ignorant of the detrimental effects they have on the Internet as a whole versus the minor benefit that could easily be served responsibly by OpenDNS or Google DNS.

well... (0)

Anonymous Coward | about a year ago | (#42390921)

now im not a hacker, but i work with a security specialist
we run network traffic view and see what kind of ddos it is, and if its traceble. usually not, especially if its a UDP flood. sometimes we can look at a specific ip thats attacking (of the many) and port scan it and see if its a botnet or a shell or something hidden by VPN. sometimes there are tcp attacks that show the ip and that makes that possible. you can even DDOS some of the attackers, see if you cant break down some of them. if your not getting a super large ddos, you might even be able to lock down the whole ddos with a counter ddos, if you have a hacker on your side. this can get really nasty and legally grey as well

but to be terribly honest, social engineering might be more effectual as many hackers are someone who has been a customer or user before, or a competitor, and they often have some kinda agenda. police might be of help, but you need to know their true IP and get their address, and call the cops in that area. with a DDOS, usually anyone worth their hacking skills will use UDP which is hard to trace.

if all else above is not applicable (and its probably not) you can wait it out, or even change your DNS or IP and somehow get traffic to it, without the hackers being alterted.

a really sad aspect of the internet is Low Orbit Ion Cannon (dirt simple ddos for noobs) and many "security tester sites" (pay for ddos)
with this you can even have scum that are Sub-Script-Kiddie hacking you.

Have the ISP handle the attack for you (1)

frambris (525874) | about a year and a half ago | (#42391227)

We were once DDoSed and we first called our colocation guys (that also manages our firewalls) if they could do it, the technician could do nothing. They called their ISP and they quickly found that the majority of the traffic came from countries we don't do business in so they simply blocked (or routed away) traffic from those countries going to our net and the site became instantly accessible again. The ISP has an anti-DDoS service that does this automatically based on some threshold magic. This is a service we are going to get.

Yup... "blackhole/null route" them... apk (0)

Anonymous Coward | about a year and a half ago | (#42391269)

I covered it here -> http://tech.slashdot.org/comments.pl?sid=3339513&cid=42390741 [slashdot.org]

* Plus, a LOT MORE a Windows setup can do...

APK

P.S.=> Only 'problem' with using the route command is, it's a commandline driven one. Personally, I'm surprised nobody's built a GUI commandline model to 'automate' it (or a script). It's probably been done script-wise though, since IF I can think of it? Someone else has (there is very little "original thought").

Hardest part? Acquiring the list of attackers - since in a DDoS they come by the 1,000's @ once.

(However, & again: That's also what scripts are good for too, in parsing out & extracting pertinent information from program outputs)...

Once you get that?

You put it into a list construct & then feed it to the automating program via a loop for the route command itself... & you've blackholed them, enmasse!

... apk

Re:Yup... "blackhole/null route" them... apk (0)

Anonymous Coward | about a year and a half ago | (#42391417)

You have to blackhole them upstream of your link or it wont do anything genius.

Not useful most times (1)

damn_registrars (1103043) | about a year and a half ago | (#42391251)

Most of the systems involved in distributed attacks are not intentionally willing participants. They are generally part of a botnet, belonging to unknowing owners and controlled by uncaring masters. Shame them all you want but that won't make them go away.

Annoying but not serious (1)

Animats (122034) | about a year and a half ago | (#42391311)

I've had sizable amounts of junk come in from China Telecom DSL class C blocks in Shenzhen. It's obviously a botnet. Amusingly, by changing what the attackers get back, it's possible to slowly influence their behavior. The zombies just send blindly, trying SMTP and PHP attacks, and they continue to send even if they get no useful response. But after a few days, some control node notices that the botnet isn't accomplishing anything and stops. Except that a few zombies don't get the word and continue to send the same junk.

The resource-consuming API requests on our system go through a fair queuing system, so that many requests from the same IP address queue up behind each other and don't consume much in the way of resources. At one point, some grad student was trying to use the API, and they were doing it ineptly, sending hundreds of thousands of initial requests without ever making the followup call to get the results. This built up a huge work queue, but the fair queuing meant their requests had lowered priority and weren't impacting real users. After a few days of this, I blocked the IP address for 24 hours. After unblocking, the requests reappeared. So not only was the requester inept, they weren't paying attention to their own program. So I wrote to the department chair at the user's university, and after a few more days, the API calls stopped.

null route the ip being attacked? (1)

detain (687995) | about a year and a half ago | (#42391431)

null route the ip being attacked?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...