Date: Sat, 30 Aug 2003 20:17:39 +1000 From: Matthew Sullivan To: nanog@merit.edu Subject: On the back of other 'security' posts.... Hi All, On the back of the latest round of security related posts, anyone notice the 50% packet loss (as reported to me) across the USA -> NZ links around lunchtime (GMT+10) today? Yet more spoofed traffic aimed at the SORBS nameservers - this time enough to crash a core router of my upstream... Hopefully the commercial damage now may insite people getting damaged by these DDoSes to start proceedings against those ISPs whom continue to show a lack of respobsibility and allow unfiltered spoofed DDoS traffic from their networks. Certainly I have been told to talk to various US authorities about the problem, and will be doing so as soon as I have the nessesary information. In the mean time a plea to people on this list in all countries - watch for the DDoS attacks (particually against 203.15.51.33, 203.15.51.35, 203.15.51.44 & 203.101.254.254) and stop the damn traffic before you are held responsible for your customers actions. There is still a 10k pps SYN flood occuring 8 hours later - this is being rate limited upstream. ..and if the perps are on this list, keep going if you want, the more you do the more likely you'll get caught. You will not force SORBS off the net like you have Osirusoft. I and SORBS will leave when we are good and ready, and not because of some infantile spotty faced 15 year old nerd without a clue on life. / Mat Date: Sat, 30 Aug 2003 10:03:40 -0700 From: Owen DeLong To: Matthew Sullivan , nanog@merit.edu Subject: Re: On the back of other 'security' posts.... > Yet more spoofed traffic aimed at the SORBS nameservers - this time > enough to crash a core router of my upstream... Hopefully the commercial > damage now may insite people getting damaged by these DDoSes to start > proceedings against those ISPs whom continue to show a lack of > respobsibility and allow unfiltered spoofed DDoS traffic from their > networks. Certainly I have been told to talk to various US authorities > about the problem, and will be doing so as soon as I have the nessesary > information. > The ISPs aren't who should be sued. The people running vulnerable systems generating the DDOS traffic and the company providing the Exploding Pinto should be sued. An ISPs job is to forward IP traffic on a best effort basis to the destination address contained in the header of the datagram. Any other behavior can be construed as a breach of contract. Sure, blocking spoofed traffic in the limited cases where it is feasible at the edge would be a good thing, but, I don't see failure to do so as negligent. Where exactly do you think that the duty to care in this matter would come from for said ISP? > In the mean time a plea to people on this list in all countries - watch > for the DDoS attacks (particually against 203.15.51.33, 203.15.51.35, > 203.15.51.44 & 203.101.254.254) and stop the damn traffic before you are > held responsible for your customers actions. There is still a 10k pps > SYN flood occuring 8 hours later - this is being rate limited upstream. > Again, I just don't see where an ISP can or should be held liable for forwarding what appears to be a correctly formatted datagram with a valid destination address. This is the desired behavior and without it, the internet stops working. The problem is systems with consistent and persistent vulnerabilities. One software company is responsible for most of these, and, that would be the best place to concentrate any litigation aimed at fixing the problem through liquidated damages. Owen