Linode could provide a reporting facility that would do two things show everyone when perceived attacks are happening. DDOS attacks look pretty much similar from my experience. They typically involve a port service other than http(s)
Ip addresses are loged on each Linode system. Why not create script detection based on attempts at DDOS updated monthly if possible. They would run on each client's server and report the IPs causing problems along with providing short log reports proving the attack took place. Now for each of these Ip addreses reported whois information could be compiled as well based on IP address detected.
The formated messages could then be transfered or tranmitted to a central Linode processing node that takes the bad IP address list and and null routes out each IP address while forwarding the abuse to to its apnic, ripe, arin lanic afnic based ISP source owner based on country codes babble or language translation engaged to help expedite such requests.

It seems to me a lot more could be done by all ISPs with the right approach. SSHD can be be shut out to remote IPs. Service ports with problems can be re-adjusted or even filtered
All Linodes reporting service need do is compile the bad IP addresses and perhaps verify the logs in sync with their own router logs. So long as the ips reported are done in a timely manner the process should be self validating

Hence linode abuse reports could be filtered for each owner based on IP range. Combinatorial login attacks etc.. could be easily enough detected.
As for other exploits. Start a database of exploits to log on each linode server.
Start with the basic ones.
As was stated before DDOS attacks don't end with with a downed server. They end with the owner of a source IP address being fined monetarily for not protecting their related system or network.
So as was specified earlier a 3rd grader would have to his parents who would answer to the ISP who pinned his dialup phon number or IP account and his parents would be required to
pay a huge fine which would probably make his friends think twice about repeating the activity. If the IP source IP address is determined to be a pawn address the ISP in the meantime would have to disable that IP until the zombie Trojan is removed and veriifed. That is the way it should work in a perfect world anyway.

Linode could control its side by automatically doing the reporting

no such user or invalid password messages from 20 attempts to login strongly indicate attempts at break-ins as do 20 different users from the same IP address in less than 5 minutes time.

Since Obama has plans for a Cyber Czar - I think we should all let him know we want more accountability in the ownership of IP addresses as it should be. Perhaps if there were greater IP owner accountability DDOS attacks would be a thing of the past.

what do you think of that idea?

_________________
Q.E.D

Rob

I can't attack the rest, but:

As much as I love where I live, we in the United States do not run the Internet. There are numerous examples where we think we do, and requiring accountability for IP addresses is something that would require international involvement. Whatever Obama does.

The colossal problem with greater accountability for IPs is this one:

Machines performing DoS attacks and vulnerability scans are never owned by the perpetrator behind them.

Most botnets I've seen are exploited Cisco routers in high-bandwidth positions. There is no way to trace who is performing a DDoS, as someone operating a DDoS is not sitting on his personal machine sending traffic to the victim himself. He's not that stupid.

Even if you did get the level of accountability you want, the vast majority of compromised machines are in underdeveloped nations without high-tech infrastructure. Asking governments of those countries to produce records for an IP is an exercise in futility. DDoS attacks originating in the United States typically lead to a conviction; this is why you never hear of any.

We can dream, but this isn't likely to happen.

_________________
Disclaimer: I am no longer employed by Linode; opinions are my own alone.

That's not always the case, here is one example:
http://revision3.com/blog/2008/05/29/in ... revision3/

Instead of just fining the attacker I would fine the patsy as well. If you can not police your system properly there is something wrong either with your ISP or with yourself. That may seem harsh but so is ruining lives and wasting people's time , money and resources. The time has come to bring real order to the internet. Spyware of any kind should be licensed included the legalized doubleclick and whatnot out there.

If my machine was taken over by a virus or netbot I sure as hell would rather be notified about it than let it lay in wait. If I have to protect my network as an ISP more so be it. The kind of nonsense that goes on today should not and the sooner it ends the better.
Patsies or zombie machines are part of the threat and so must be dealt with first. If you let the zombie population grow it only gets worse which it is clearly doing.

Like it or not all of us have responsibilities to keep the internet safe
report phishing attacks to the spam@uce.gov

The more we do individually the better environment the internet will be. If we slack off at this rate we will all need 100 gigabyte networks and an extra multiprocessor to deal with all the abuses we allow to continue at great cost.

Let me but it another way if someone without your knowledge takes your car out for a joy ride kills someone while drunk in a hit and run and runs up $500 in parking tickets what happens to the car owner?
They get fined and held responsible for the tickets and unless they are in a coma or out of the country they are legally liable and probably would be thrown in jail.
Now given this growing threat out there. maybe a government website that installs an active -x or java com on all hosts that have been identified as potential zombies may be in order where by it could access where the originating attacks are coming from by IP and date/time of an infection assuming the earliest one in the logs is the original attacker or assuming the data goes to network of computers. trace each packet far enough back and you should be able to narrow down if not catch the culprit responsible for such an attack.

In the meantime image eliminating all the zombies shrinking the attack pool and making all the people asleep at the wheel more diligent and aware. Fines do that. Abuse notices to ISP Nocs do that. Smarter firewalls that see sessions repeatedly seeking to login could do that.
I have seen attackers in Iran stopped by notifying the owners of an IP address.
I doubt I am the only one fighting out there and I can tell you the hackers are representative of terrorists who blow people up.
Do you think it a coincidence that 9/11 happened during a peak in internet usage? No and I can assure you if we take hacking more serious just like the Mayor of New York who stopped illegal gun sales and spitting on the street and drove the crime rate of New York City to its lowest level. Again Not a coincidence.
You are right the USA does not own the Internet. Started it but does not own it.
It does influence it greatly. If we build higher speed networks so our backbones are OC MAX and we keep diligence over our part of the Internet why wouldn't the world want that too.
I am upset by the lack of care shown today. The internet was once clean and efficient. Now that claim can no longer be made

I for one want to see that turned around starting with ISP responsibility for only the IPs they own. It is certainly doable
ISPs know who and when they allocate IPs. They can warn customers of perceived threats . ISPs could threaten to shut down service until an infestation of virus , worm or Trojan has been resolved. Like I said before the more this is law the better the odds of success. If you knew you would be fined by your ISP by US law for the crime of network abuse patsy if after being notified your system was still infected with no change given 48hrs time, well I imagine a huge diligence effort would be made to perform security updates, run anti virus and firewall and spybot software by a much greater portion of the public internet users and so again the Zombie patsys would be much fewer in the united states
To protect the US networks from foreign attacks US firewalls would
null route block any Ips involved in abuse activities and so at the cost of some ip by ip lockouts the American Internet would remain clear of network abuses.

I can tell you from experience something has to be done. years ago the attacks were fare lesser. The number of attacks and variety have skyrocketed since 1994

_________________
Q.E.D



Rob

You should forward any suspicious emails like:
bank emails claiming your account has a problem without providing any account information in the process and a form to fill out
requesting account information.

These are almost definitely phishing attempts
By forwarding the email you keep the original RFC mail headers in tact.
We can also all set up proper SPF DNS TXT records to avoid email from address forgery
All of this would greatly help clean up the internet

_________________
Q.E.D



Rob

rss245x:

Your suggestions seem to ignore the cost/benefit analysis that any business must do if it wants to remain in business. Your suggestion is complicated (that means it will take a long time to build, and time means money), and, the efficacy is far from guaranteed.

The bottom line is that granular mitigation of DDoS attacks is impractical. Your proposals strike me as a lot of work for little benefit, and, I for one would not want the cost of my Linode to reflect your quixotic crusade.

So far as I can tell Linode's approach to this problem (reactive and reasonable) has been an excellent optimization. I don't really see a sensible return from any of the things you have proposed.

That's just my opinion, but I have a lot of experience in this area and think it reflects that and good reasoning.

(x) Slashdottings and other legitimate internet uses would be affected
(x) It will stop DDOSes for two weeks and then we'll be stuck with it
(x) ISPs will not put up with it
They will if they lose money from governemnt enforced fines.

(x) Requires immediate total cooperation from everybody at once
Yes as the polar ice caps melt because of similar inability

(x) Anyone could anonymously destroy anyone else's career or business
That is already possible and we have seen it first hand - but remember this if the rules I recommended were implemented these attacks would essentially be stopped if not limited a lot.

(x) Lack of centrally controlling authority for the Internet
Not true Arin.net, Ripe.Net, Apnic.net and Afnic.net and Latnic.net
all allocate specific IP address space. It is fully organized and the owners are registered.

(x) Compromised hosts in foreign countries
Again it must start somewhere for it to succeed just because no one went to the moon does not mean they should not try first. Your argument makes no sense to me.

(x) Asshats - Huh??? what is that?

(x) Jurisdictional problems
Not true - Arins allocates IP addresses - Federal government of the US extends to all US territories. Canada and Mexico would comply with the US policy so long as it is in their interests and if the US sees a fall on domestic attacks from US based IP address space the world will soon follow upon the USA's success.
NO JURISDICTION problems then!

(x) Unpopularity of weird new taxes
Not a tax - Its a fine - There is a huge difference and it would allow a grace period upon reporting abuses. Its only if those abuses go ignored.

(x) Apathy on the part of other ISPs
Arins and the IP providers will just yank their routing if they don't pay their fines. No Ip routing no internet service - End of story

(x) Willingness of users to install OS patches received by emai
Not going to happen because the abuse email will specify a specific
web site in clear text not a url a href tag link and it will be
.US site. - No problem there

(x) Armies of worm riddled broadband-connected Windows boxes
Just numbers - More Ips already making trouble need to be fixed

(x) Eternal arms race involved in all filtering approaches
Huh?? A nuke does not effect this approach no twisting any country's arm just a policy that makes sense

(x) Extreme profitability of botnets
That is the biggest problem isn't it. All those Internet security companies would have to look for revenue elsewhere. No because
the threat of basic hacking always exists as well from viruses etc..
independent of IP address.


(x) Forged IP source addresses
Spoofed IP addresses I am told are a thing of the past now partly because of dhcp but also because each ISP checks for such spoofing at their firewall so at least their IPs can not be forged. To forge an IP means forging IP routing and correct me if I am wrong here but that would be a very hard thing to do if not impossible because the true routing would win out on the return IP packet so the packet would never reach the hacker unless they selected the IP along the same exact route. Again really hard to do

(x) Unreliability of WHOIS information
That could be changed by more diligence by the IP providers.

(x) Bandwidth costs that are unaffected by client filtering
Huh??

(x) Outlook
Replace the email client : Eudora, theBat, Webmail or just deal more aggressively with email viruses and Trojans than is done now.
and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
That is a catch 22 to be sure because doing nothing which is what I see happening just makes the problem worse
This idea is based on concrete controlable easy to implement concept of responsibly for your IP. Are their holes Oh yeah but
the concept does two major things:
(1) Reduces the overall threat by effectively limiting the zombie pool
(2) Forces all Netizens to care and take greater responsibility
(3) Makes people aware that their is recourse when they are getting attacked by hacking , viruses and trojans
(4) Providing a system that should if implemented better patrol and better control network threats and frankly it should be attempted because there is nothing better being done now and things have become much worse from inaction.
(x) Blacklists suck
No blacklist - Just responsibility. I know all about blacklists Time Warner puts its customers on 2 blacklists on purpose.


(x) Why should we have to trust you and your servers?
You already trust bind don't you ? Its as simple as that
Bind uses root DNS servers - Can't escape that can you?

(x) Feel-good measures do nothing to solve the problem
Not a feel good measure - Just hard crisp facts
IP addresses are basically fact - Spoof or forge an Ip address
not very practical or possible!

(x) Killing them that way is not slow and painful enough
I feel that way much of the time regarding the source attackers.

Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
Why specifically do you think it would not work?
The rare and slim ability to forge source IP addresses?

While an idea is not full proof that does not mean its not effective.
Know the difference. It would be a lot better than doing noting
killing bugs with insect spraying does not solve the bug problem and environmentalists etc.. say it is a bad thing but it soes reduce
the potential for disease many times its been done. Full proof no
but effective yes!



I certainly have felt the following from the attacks I suffered:
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

_________________
Q.E.D



Rob

The .US sites mentioned above . I meant to say .gov site
and not .US. Anyone can get a .US site only the US government can run a .gov site.
Again IP forging is not very practical and not very effective.

_________________
Q.E.D



Rob

"Spoofed IP addresses I am told are a thing of the past now partly because of dhcp"

I was actually reading up until that point...

I'm not going to address the idiocy behind the rest of your logic but as for this:



DHCP does nothing to stop IP spoofing. In fact, most of the internet doesn't use DHCP for many reasons. Even in your home network you are able to assign an IP that is *in use* by a DHCP client.

As for filtering, very few ISPs do any egress filtering based on source address. Spammers have been using this tactic for a long time.

What about the stolen IP space? There are many blocks that don't officially exist that are still in use and several have been sold to legitimate companies.

You really expect a fine to make a difference? It is illegal in many countries to send spam but spam still accounts for an average of 93% of all email. This isn't an administrative problem it is an end-user problem.

reduction of zombies alone is a goal worth achiving does anyone deny that.
Just how easy is it to forge an IP address. I have found that I can not just use an IP address I create with my ISP. I would not work because as part of the DHCP process they check and rout so at least retail ISPs like Time Warner do something about this or so I have gathered. DHCP was done again correct me if I am wrong to control you ISP space and avoid duplicate IPs or am I missing something here?
I also imagine that if everyone does their dudilligence and based on IP address since frankly that is all we have to go on every IP steps up and is responsible for the abuses traced log for log we would have less zombies for sure. Why is is it that so undesirable for eveyone to pitch in.
The same statements made here can be said of littering. I do not see as much garbage on my sidewalks in NYC. Why is that? Laws against littering. There are no IP addresses but if someone is caught dropping a piece of paper they fail to pick up they are fined.

It just seems to me that its a good start and given logging of traffic
zombie traffic is pretty much on radar at least so it is verifyable to be sure.
Its interesting how everyone fights the most common sense approach to ending all this nonsense. Its almost like they want it. It makes money for them. Why else be so unwilling to do what ISPs today are actually starting to do world wide.
Like I said before. logged attacks are being stopped by many places I know I have seen it. So whether you like it or not guys
ISPs are stepping up at least non-American ones anyway. Maybe the Europeans and Asians have realized this and are making a difference in their own countries networks while us stupid Americans are so lazy and unwilling to do the right thing and let it fall on others to do it for us that we just wait until it truly becomes a problem.
Just look how we handled our banks recently!!!

Say what you like but if all the zombie machines were instantly gone how many of thes attacks would we see? Ask yourself that.
And others are right . Suppose viruses continue to infect machines right and left. At least if someone caught it earlier less other machines might get infacted.

I have a horrible suspicion that none of this is being done so security software companies can do big business if so that is rotten reasoning because these companies could do far more productive things like build a new moon base and launch interstellar space ships rather than deal with internet security issues. Much more constructive operations from my perspective.

I have heard the nay sayers out there a lot. At least people have come up with SPF TXT records and the like to avoid email spoofing and that works. Does everyone do it? No but they should

Somethings just make sense:
Do not litter
Do not promote Network abuses by not security patching your systems.
Do not hack other computers you don't own or have permision to hack by their owners
These are all good rules no?


I have truly come to belive a simple IP reporting and responsible ISP operations lead to a safer network. Does anyone disagree with that?

If so why fight it? WHy just put it down. Granted IP forgery is a big hole but very hard to do isn't it? How easy would it be to forge an IP address ? If it was so easy then why not forge the IP address for Bind's root server? and the control everyone's IP address? WHy hasn't that happened yet if its so darn easy to forge IP addresses?

_________________
Q.E.D



Rob

Read http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol and then see if your statement makes sense. You may want to study up on all the concepts and technologies you make claims about to further avoid any displays of ignorance.

Let me first say Spamming is with us. I would be happy to see
forged spam stamped out at least. No one wants their good name trashed that way. That is possible through DNS SPF TXT records for a domain.

Now regarding the IP address abuses those are fully trackable
The IP address is known and in the logs Why not use that.

What is egress Filtering. I am not suggesting that needs to be done. Someone misread what I suggested.

Imagine on everyone's server box a simple cron job that goes off every 30minutes greps a security log file and pulls a list of IPs and log entries with those IPs
Sends them to central processing ISP hub server that merely
takes the unique list of IP addresses does a
WHois
sends an abuse email to a designated abuse email
based on country does a babel like machine language translation on the letter
and for each troublesome IP sends a letter indicated abuse attack . the time zone of the logging server and actual whois record showing IP ownership

What is so bad about that. Its certainly not egress filtering because these abuses are logged. Leave it to each ISP to handle their own network abuses.

YAAKOV How does that translate to such a bad thing to do?
Its simple not complicated at all.

This has nothing to do with spam just to be clear. That gets handled differently.

spam@uce.gov is said to already handle spam complaints and unlike the badly run FBI they don't make you document what you send them which is idiotic and inneficient. Nobody uses the FBI for much . I wish I could with hold tax dollars from The FBI given their poor handling of the internet today and bad treatment of US citizens. The worst Government organization in the US Government today! Virtually useless and extremely rude and they never return calls or emails.


I still firmly belive in the approach I suggested. Like I said before that same approach appears to be working outside the USA. Why do you think the USA has been attacked so much recently and it has. Lookup dingsy@cndata.com
A ridiculous number of abuse hits on the search engines tells you this ISP is one of the worst in China. Now imagine how many fewer attacks if they acted to elliminate all these abuses
stopped or notified the owners of all the zombies so they could improve network conditions.
Or even verizon which also has a don't care attitude about abuse.
Most ISPs I have dealt with do care and want do what they can which is why they provide abuse@ emails.

Feel free to dissagree here but remember change is inevitable my plan or someone else's I don't care . Zombie machines must be fixed or removed ultimately because as time goes on the problem only gets worse!

_________________
Q.E.D



Rob

SPF does nothing to stop spam because it is a flawed technology that fails to account for many things. It also requires that everyone configure it and there are too many ignorant or arrogant people that will not do it.


An IP can be spoofed. Recent attacks against several large DNS servers prove that source address spoofing is very easy. Most DDoS attacks involved spoofed addreses with no actual origin defined. It takes a lot of time, energy, money and cooperation to track down the sources and the attack has typically stopped before then.


You said "because each ISP checks for such spoofing at their firewall so at least their IPs can not be forged". That is the exact definition of egress filtering.


Many of my servers generate multiple gigs per day of access logs. Are you really suggesting that I devote precious resources to processing a log file many times a day? That costs me a lot more money than properly securing my server and just dropping the attacks.


Again, IP's are typically spoofed in a DoS situation. In the event of an SSH attack they are legit but are compromised boxes. Who pays for the centralized ISP hub? That's a lot of processing power and bandwidth to burn with a large bill at the end of the month. This will also increase load on the whois servers to an unmanageable level. Who pays for the extra capacity and bandwidth at the ISP server level?

Oh, and automatic translation software sucks and for technical data it is even worse.


Seriously, try doing a google search for "egress filtering" before you try to make a statement about what it is or isn't because what you just said doesn't even make sense.


UCE.gov has successfully prosecuted a total of ZERO spammers. The FBI has successfully prosecuted domestic spammers. Not that it matters though since this is the Internet and the US has zero jurisdiction over it.


You are entitled to your opinion. I can't blame them for not returning your calls though. I, however, have had no problems getting help from the FBI when I needed it.



Why are you making it the problem of the responsible people? Zombie machines are the fault of end-users not knowing what they are doing. Why should I have to pay for their mistakes? It's hard enough to keep a successful business running without being forced to pay the bill for others.