I'm pissed

  • I'm pissed at the kiddies who think ddos is fun.
  • I'm pissed at hostings/providers not caring enough about their abuse@ mailbox. And I'm more pissed at customer service centers that act like nothing urgent is going on when you call them about their network being part in a DDoS attack.
  • I'm pissed at hostings not checking creditcards and client information before accepting an order.

Internet needs a change, providers need to react faster in these days, they need to act more responsible and faster.

There should be a mechanism as endpoint to tell another endpoint in a fast way that you don't want their traffic, without needing to make a shitload of calls or send emails. Call it reverse firewalling. But that would in my opinion be a simple solution to stop ddos. Or at least stop making you feel it's effects.

outsider / Feb-24-2011 19:15:58 GMT

Comments for I'm pissed

These are the 6 (0 hidden) comments for the above post. You may add your own comment below!

thomas said on Feb-27-2011 20:55:11 GMT :

yeh i got my vps hacked and used for tcp floods and noone helped me not even linode the people i got it from :(

chagrain10 said on Feb-28-2011 20:28:10 GMT :

bienvenu si le pire site de merde anglais bravo vous aver gagner dronebl.org je suis utilisateur du tchat francais orange je paye le tchat depuis des annees j ai donc un moyen simple pour trouver mes cohordonees donc c est comme une adresse mac je suis banni meme si pesonne derriere mon ordi c est vrai impossible de separer une personne pour eviter de la bannir pour rien sans motif sans explication je vais pas tarder a demander des dommage et interet pour prejusdice sur un abonement payant qui empeche users de pouvoir l utiliser

Cedders said on Mar-01-2011 12:11:35 GMT :

Yes, a well-staffed and trained abuse desk is necessary for all providers. (It also needs to be accessible: my perception is it's become really hard to contact Yahoo now for example after some years when they were relatively responsive and clean. They only accept abuse reports in ARF format. At some point I hope to create a Thunderbird plugin to help this.)

So IMHO some publicly-supported effort needs to go into raising the ability of all providers to prioritise and react, maybe from the IGF, or raise expectations through BCPs for abuse desks.

But I'm not sure what more can be done about credit cards, since they are surely cancelled as soon as any compromise is suspected. Should hosts run a regular check on them after taking an initial payment?

Alexander Maassen said on Mar-13-2011 11:24:21 GMT :

@chagrain10: Well, my french is as good as your english, so I tried the translator, and even that one made no sense of your gibberish. Something about your cellphone, being blocked and something about charging us for eventual damages... Well, first of all: WE ARE NOT THE ONES LISTING YOU Second: IF YOUR IP IS MOBILE, SOMEONE ELSE FUCKED UP Third: USE ENGLISH PLEASE

Alexander Maassen said on Mar-13-2011 11:30:17 GMT :

@Cedders: Well, during one of the many abuse mailing sessions I had, telus does not even accept attachments like logs, you need to paste them in the mail.

Another ISP does accept attachments, but does not know how to handle .gz's.

The real problem with the ISP's is, that most of them are hosters, and the way they work is that they in most cases forward the abuse report towards the client, but do not further care about it, they do however keep a score and probably warn the user if the score gets too high. Issue is in this case that in most cases the kiddies use that specific host to ddos a single host, and not multiples, so the hoster only gets one or two mails, and thus the score remains low. So much about their stupidity.

Alexander Maassen said on Mar-13-2011 12:57:39 GMT :

I emailed the nanog mailinglist with the question why abuse handling sucks so badly, and this is one of the offlist answers I received that really rocks:

Hi Alexander,

I think the fundamental issues are many, including:

-- a lot of reports are, well, from the GWF (goobers with firewalls) set... they may think they're being attacked even when they aren't, but those false alarms clutter up the abuse/security queues, and sometimes result in real reports (such as yours are) getting overlooked in the fog

-- carriers don't make money dealing with abuse issues, and DDoS mitigation often requires network engineer time (which may be a particularly scarce and expensive commodity at many providers); I suspect that some providers have a policy of taking their time looking at some attack reports, to see if the attacker will get bored (or the target will perfect the attack's objective by taking themselves offline), thereby making effort on their part unnecessary

-- taking action against clients tends to PO the client; sales doesn't like that, and at some ISPs, sales has the ultimate veto power over any proposed negative action

-- taking action against clients tends to generate customer support calls; customer support doesn't like that (customer support particularly likes it when the issue may be botted hosts behind a PAT'ing firewall, and time stamps are wonky, and source port information is non-existent, and the PAT firewall operator doesn't bother logging)

-- taking action against clients may iritate legal ("when you filtered their gateway IP, you not only blocked their email server and their web site, you also blocked their Asterisk VoIP box, and the CEO had a heart attack which they couldn't get an ambulance to respond to because...? you'd blocked their phone service, you mo-ron!")

-- I suspect that some providers may have a "blame the victim" mentality ("they wouldn't be getting DDoS'd if they hadn't been sshl*sh to someone on IRC" or whatever); obviously this is wrongheaded, but there you go

-- a surprising number of networks are shockingly badly instrumented (e.g., no Netflow, etc.); as we move from IPv4 to being dual stack, this is only going to get worse... if they're "driving blind" they can't readily confirm the problem you're reporting

-- hierarchical issues may delay abuse handling (an IP may appear to belong to provider foo, but provider foo has actually "informally delegated" that address space to provider bar (even if that's not reflected in SWIPs or rwhois entries); provider bar has in turn "informally redelegated" that address space still further, etc. Each layer in that wedding cake may take too long to cut through.

-- traffic may be spoofed (e.g., DNS-based denial of service attacks, for example); because many networks still don't do BCP38 filtering at their border, random UDP traffic may get injected into the global Internet, and once it gets a few hops out accross a couple of different providers, well, backtracking that traffic can be a "lot of fun"

-- etc., etc., etc.

In a nutshell, frankly, I'm surprised that as many abuse incidents get handled, as do!

Regards,

Joe St Sauver, Ph.D. (joe@oregon.uoregon.edu) http://pages.uoregon.edu/joe/

Add your own comment

Your name
Your comment
You can use markdown syntax here for formatting.