There is at least one and probably many more the uce has prosecuted:
See the following URL:
http://www.dailytech.com/article.aspx?newsid=5782

Also What IP spoofing of DNS servers is everyone taking about becuase had someone spoofed the root bind DNS servers I think the internet would be royally screwed up. What prevents that? Does anyone have that answer? If its so darn easy to forge IP addresses why hasn't the root DNS server been so forged?

_________________
Q.E.D

Rob

I asked my ISP recently regarding something SelfishMan said that
im a DHCP connection you can assign the PC another IP address.
I was in fact told no you can not so maybe its just Time Warner but they claim to be immune to the 2 sited wikipedia DHCP vulnerabilities listed and that DHCP messages can not be sent by outside sources upon their network. They claim they block such non RR DHCP traffic

I think it is ridiculous to think that a secure file log can not be processed simply and quickly incurring a minor processing cpu time to do it and generate a unique list of IPs involved with hacking attempts. I know I have done the work. The each 30minutes or hour or even 2 hours seems a reasonable enough price to pay for diligence. Again over time processing could be weaned assuming no abuses happen
I want to go back to my littering Why bother to throw a paper into the garbage why recycle why not just drop all your old papers on the floor and never clean up? After all its okay to do that with IP based hacking right? Isn't it the same thing?

You are right eventually the number of zombie machines will grow because of apathy and then your processing will include log files that fill up your disk space instead. Not costly right?
Imagine 100 million zombies hitting away on your server. How bad will it have to get before you want to do something about it.
Even IPTables can not handle all the problems from this:
e.g
Decreased bandwidth
Higher probability of workstation infiltration
Lower productivity in the workplace - do to more antivirus scans
etc..
More security updates
Lower confidence of security

---
That will be our future if nothing is done.
I don't believe my solution would be that costly either.
Obviously I have my critics out there.

_________________
Q.E.D



Rob

Your knowledge of the subject matter makes it impossible to have a practical conversation. With that said, I believe the NANOG and SPAM-L mailing lists would like what you have to say. These matters have been of great concern on both lists and they would value any additional insight.

You're not using a "DHCP connection"; you're using a DOCSIS network that presents an Ethernet-compatible interface to your equipment. You probably won't have too much luck spoofing IP addresses there, nor will throwing up a rogue DHCP server do anything productive. (Same with your Linode, although the underlying implementation is different.)



I regret to inform you that it already exists in a couple different forms.

So wait, which part of your solution isn't either 1) already implemented or 2) impossible to implement?

I found a lot of foreign ISPs in Turkey, Iran and Korea very caring and after sending them a machine translated email with my timezone, the offending IP address and logs containing that IP I was told the problem had been handled. and I saw that IP address stop attacking me. I even had a day with no attacks.

You are wrong about ISPs not wanting to stop the abuses. Like I said before why do they have abuse@ email addresses
Why do they have listed abuse email addresses. I will tell you. It is so they can disable or notify their customers their systems have been compromised.
What do these ISPs gain? respect of their network for one not to mention cleaner band width and of course less abuse emails.

American ISPs like Verizon show the same American ignorance and stupidity we have all come to expect from American companies
short sighted lazy thinking! Does Verizon take care of its problems? not right away if at all.

Just a point in fact. ISPs who run abuse free networks gain greater respect and better operations fro increased bandwidth from less abuse shenanigans !

Consider that!

_________________
Q.E.D



Rob

Or the bot machine attacking you was turned off by the owner, not the ISP, or the master dropped that connection cause it was causing too much noise. You can't confirm that the ISP actually handled the issue. You just have to believe them.

sidenote: when dealing with foreign abuse notifications, use GMT time, it makes everything faster.


Liability and not much else.



Respect from what and to whom? The customers? They can null route traffic (like AT&T did with 4chan recently) and never even notify the customer, or with any abuse notifications.



Because the vast majority of their money isn't made from customer ISP connections. They make the most money in cell networks, and government ISP contracts. Customers are always last.

_________________
If it ain't broke, you didn't tweak it enough. If it is broke, use more duct tape.
http://independentchaos.com

static routing and authoritative DNS.

_________________
If it ain't broke, you didn't tweak it enough. If it is broke, use more duct tape.

http://independentchaos.com

That was actually a sorta-accident in which one company (MediaDefender) was exploiting a vulnerability in Rev3 bittorrent tracker by forcing to host non-Rev3 content. When Rev3 patched the hole, the MD servers attempted to reconnect the non-Rev3 content and inadvertently DoS'd the Rev3 servers. This was not a targeted DoS attack.

_________________
If it ain't broke, you didn't tweak it enough. If it is broke, use more duct tape.

http://independentchaos.com

An IP address does not resolve to a person. It resolves to an ISP, which then the ISP can resolve it to an account and the account may have current information about the person that was assigned the IP originally.

Think of this way, although a US license has your address on it and you are "legally" required to change it in X days of moving. If a warrant is put out for you arrest based on current data, but within the X days of you moving. They kick in your door and no one is home. Needless to say, you probably aren't going to be updating your address soon.

It is much the same with IP addresses. If you move your laptop around in one city, you'll pick up a bunch of IPs that all can resolve to this particular city, but if you constantly hop between multiple connections, each IP owned by a different ISP, no one would be able to determine who has been connecting to each ISP because the account holder is not the one connecting.

Forging IP headers is the same thing just in a more larger scale. It doesn't matter that information is able to transmit back to the sending host. Just that the packet gets to it's destination can causes a clog when the target attempts to connect back to the forged IP and the true IP says that it never attempted to make that connection and drops it. Wasting CPU cycles on the target host. Enough connections bogs the CPU down and can no longer answer legitimate requests made to the server.

So more accountability, sure, but not for this stuff. More net neutrality, please.

_________________
If it ain't broke, you didn't tweak it enough. If it is broke, use more duct tape.

http://independentchaos.com

I still maintain despite the nay sayers that IP accountability, though imperfect is a start to stopping the horde of zombie machines.

So what would be so terrible if everyone who owned a computer hooked up to the internet showed responsibility. Thus far murderers at least do not seem to be able to stay anonymous on the web as the newspapers have shown so it it seems to me IP accountability could work. There may be some phony ones out there but if Hotels in Europe can track their customers coming and going I would bet automated ISPs could manage it as well.
There is no better way to track things than ISP because its basic to the TCP/IP protocol. You do not get on the internet without access to a rout able IP and the ISP who routes it is liable. Now break ins can be hacked I suppose but duplicates are typically determined in a good network. Still its sad to think most of the netizens out there would prefer to fight it out rather than find a systematic solution.
Everyone makes good arguments regarding not holding IP users accountable but I fear things will only get worse if nothing is done about it

_________________
Q.E.D



Rob

I think the biggest problem is that unless you get consistent ingress filtering (and thus buy-in) from all possible ISPs, and depending on the type of attack, you can never be absolutely sure that the traffic you backtrack to an ISP really originated there.

In the US at least, I expect many (most?) ISPs are doing ingress filtering at this point. It was certainly happening years ago when I was more involved. Catching forged addresses at the point they enter the network is a great way to at least have some trust when tracing an IP address back. That is, an ISP will block traffic from its customers unless the traffic is originating from an address block the ISP owns and/or has assigned to that customer (depending on how fine grained they do it).

It can't always stop a person from forging an address within the block that their connection might share with topologically close customers, but tracing things back would still end up at the right ISP and real-world detective work could proceed from there.

While I haven't experimented recently, it wouldn't surprise me if my home broadband connection was filtered so that it would drop any traffic that didn't have the exact source address that I had been assigned by my broadband modem. The modem itself has all the information it needs to do the work, and is an efficient place to do the filtering, though an argument could be made to do it one hop upstream to protect against someone breaking into the modem.

But - and it's a huge but - as long as there is one ISP out in the world somewhere that doesn't do this, then customers of that ISP can forge any address they like. Some of this may be clamped down if an upstream ISP or major exchange point does additional filtering, but the further away from ingress you get, the wider open the filters have to be due to the valid addresses that may be expected to be seen at that level of the network hierarchy.

Now, those forgers may not be able to maintain bi-directional traffic flow, since return traffic won't route back to them, but they can certainly mount denial of service attacks such as a SYN flood, or overloading a UDP based service. In such a case, backtracking the IP address from such an attack will lead to entirely the wrong place. If you can get coordinated tracing of the stream as its occurring you'll have more luck moving in the right direction, but that's a lot of coordination.

On the brighter side, if you're seeing IP addresses higher up the stack such as in a TCP-based application log, that implies the handshake completed, which is a bi-directional connection, so I actually think the odds are decent nowadays that back-tracking will get you to the right ISP. Of course, that can still be a far cry from getting the problem pursued back to a specific individual depending on where the trace led.

It's just a tough problem - particularly because not all the parties that need to work together to help ensure that an address is viably traceable have the necessary incentives to do so. The very decentralized and fragmented structure of the network that helps it operate as well as it does works against you in this problem space. And even when technical improvements are possible, some of the problem becomes less technical than real world political.

-- David

Yep...I definitely agree on that one.



I agree, although in my case, I usually see a lot of govt (and some commercial) end-users also being compromised.



This one is a big one, especially in the sense that most Win32/64 OSs are pirated and not patched, making them prime targets. This is probably why I tend to see tons of attacks coming from APAC regions, at home and at work.

Nope. Verizon makes just as much money providing ISP services as they do other network-related and government-related services. There are three sub-orgs of Verizon: Verizon Business, Verizon Core, and Verizon Wireless. In fact, Verizon Business provides DDoS services successfully because of the very large backbone they own. Their abuse department sometimes works hand-in-hand with DHS when serving take-down notices due to botnets and malware hubs. Almost all of this is due to ISP services. They provide the circuits and have complete control over them. I know for a fact that they are proficient enough in resolving enterprise-level issues...I've been employed with them for 4 years in their Managed Security Services department. We've offices all over the world, several global operations centers (including one in Belgium, one in the Philippines, and one in Austrailia). A company can't be global and not know what they're doing.

Lastly, I really hate the anti-geographical arguments that some europeans (or non-US people) tend to make. Notice that it only comes out during heated debates, usually out of the blue when on the losing end of an argument. Please don't lump us all into the "you Americans" bucket. Please don't generalise. Argue your case with facts and not bigotry.

Well if America sucks, then I'd love to hear your opinion on China. My latest major brute force attack (SSH) happened to be from China (230 attempts). Hell, they almost always are. The rest of the time they are usually from France, Germany or Russia!

Honestly, I am pretty sure you are just trolling at this point.

IP forging is extremely practical in the places these attacks source from.

In the states, many ISPs block outgoing spoofed packets. In most parts of the world where these attacks source from however they do not. Why? No idea... they cannot afford the software/hardware to handle it? But long and short story is that they don't. Therefore, traffic will still come in. Attacks will still come in.

DDOS has been around since the dawn of the internet. Back since before the days of smurf and fraggle. (Smurf is one of the many famous DDoS tools).

Also, you seem to have some belief that the US has authority over the internet. Obama's internet czar is a joke and just another attempt to give one of his friends a job.

We do. Not. own. The . Internet. Regardless of the fact that most of originated from the states, other countries networks far outweigh ours. We are still an important part of the net, but to put us that high on the table is absurd and goes against the whole design of the internet. If we started putting ridiculous limitations in, we'd just be routed around and life would go on.

As official as we try to make it, the internet was designed with rules that make it similar to the wild west. There are policed towns, and then there are raids from neighboring bandits.

This is the design of it, and it will always be this way until we revamp the entire protocol set used.

So please, stop worrying about enforcing ddos punishment and figuring out how to make your app /server if possible resilient to it.