Not logged in — Log In DroneBL

I'm pissed

Internet needs a change, providers need to react faster in these days, they need to act more responsible and faster.

There should be a mechanism as endpoint to tell another endpoint in a fast way that you don't want their traffic, without needing to make a shitload of calls or send emails. Call it reverse firewalling. But that would in my opinion be a simple solution to stop ddos. Or at least stop making you feel it's effects.

outsider / Feb-24-2011 19:15:58 GMT

Comments for I'm pissed

These are the 6 (0 hidden) comments for the above post. You may add your own comment about the blog entry below! (Removal requests made here are IGNORED as they do not belong here! Contact the maintainer instead.)

Alexander Maassen said on Mar-13-2011 12:57:39 GMT :

I emailed the nanog mailinglist with the question why abuse handling sucks so badly, and this is one of the offlist answers I received that really rocks:

Hi Alexander,

I think the fundamental issues are many, including:

-- a lot of reports are, well, from the GWF (goobers with firewalls)
set... they may think they're being attacked even when they
aren't, but those false alarms clutter up the abuse/security
queues, and sometimes result in real reports (such as yours are)
getting overlooked in the fog

-- carriers don't make money dealing with abuse issues, and DDoS
mitigation often requires network engineer time (which may be
a particularly scarce and expensive commodity at many providers);
I suspect that some providers have a policy of taking their time
looking at some attack reports, to see if the attacker will get
bored (or the target will perfect the attack's objective by
taking themselves offline), thereby making effort on their part
unnecessary

-- taking action against clients tends to PO the client; sales
doesn't like that, and at some ISPs, sales has the ultimate veto
power over any proposed negative action

-- taking action against clients tends to generate customer support
calls; customer support doesn't like that (customer support
particularly likes it when the issue may be botted hosts behind
a PAT'ing firewall, and time stamps are wonky, and source port
information is non-existent, and the PAT firewall operator doesn't
bother logging)

-- taking action against clients may iritate legal ("when you
filtered their gateway IP, you not only blocked their email
server and their web site, you also blocked their Asterisk VoIP
box, and the CEO had a heart attack which they couldn't get
an ambulance to respond to because...? you'd blocked their phone
service, you mo-ron!")

-- I suspect that some providers may have a "blame the victim"
mentality ("they wouldn't be getting DDoS'd if they hadn't been
sshl*sh to someone on IRC" or whatever); obviously this is
wrongheaded, but there you go

-- a surprising number of networks are shockingly badly instrumented
(e.g., no Netflow, etc.); as we move from IPv4 to being dual stack,
this is only going to get worse... if they're "driving blind" they
can't readily confirm the problem you're reporting

-- hierarchical issues may delay abuse handling (an IP may appear to
belong to provider foo, but provider foo has actually "informally
delegated" that address space to provider bar (even if that's not
reflected in SWIPs or rwhois entries); provider bar has in turn
"informally redelegated" that address space still further, etc.
Each layer in that wedding cake may take too long to cut through.

-- traffic may be spoofed (e.g., DNS-based denial of service attacks,
for example); because many networks still don't do BCP38 filtering
at their border, random UDP traffic may get injected into the
global Internet, and once it gets a few hops out accross a couple
of different providers, well, backtracking that traffic can be a
"lot of fun"

-- etc., etc., etc.

In a nutshell, frankly, I'm surprised that as many abuse incidents
get handled, as do!

Regards,

Joe St Sauver, Ph.D. (joe@oregon.uoregon.edu)
http://pages.uoregon.edu/joe/

thomas said on Feb-27-2011 20:55:11 GMT :

yeh i got my vps hacked and used for tcp floods and noone helped me not even linode the people i got it from :(

chagrain10 said on Feb-28-2011 20:28:10 GMT :

bienvenu si le pire site de merde anglais bravo vous aver gagner dronebl.org je suis utilisateur du tchat francais orange je paye le tchat depuis des annees j ai donc un moyen simple pour trouver mes cohordonees donc c est comme une adresse mac je suis banni meme si pesonne derriere mon ordi c est vrai impossible de separer une personne pour eviter de la bannir pour rien sans motif sans explication je vais pas tarder a demander des dommage et interet pour prejusdice sur un abonement payant qui empeche users de pouvoir l utiliser

Cedders said on Mar-01-2011 12:11:35 GMT :

Yes, a well-staffed and trained abuse desk is necessary for all providers. (It also needs to be accessible: my perception is it's become really hard to contact Yahoo now for example after some years when they were relatively responsive and clean. They only accept abuse reports in ARF format. At some point I hope to create a Thunderbird plugin to help this.)

So IMHO some publicly-supported effort needs to go into raising the ability of all providers to prioritise and react, maybe from the IGF, or raise expectations through BCPs for abuse desks.

But I'm not sure what more can be done about credit cards, since they are surely cancelled as soon as any compromise is suspected. Should hosts run a regular check on them after taking an initial payment?

Alexander Maassen said on Mar-13-2011 11:24:21 GMT :

@chagrain10:
Well, my french is as good as your english, so I tried the translator, and even that one made no sense of your gibberish.
Something about your cellphone, being blocked and something about charging us for eventual damages...
Well, first of all: WE ARE NOT THE ONES LISTING YOU
Second: IF YOUR IP IS MOBILE, SOMEONE ELSE FUCKED UP
Third: USE ENGLISH PLEASE

Alexander Maassen said on Mar-13-2011 11:30:17 GMT :

@Cedders: Well, during one of the many abuse mailing sessions I had, telus does not even accept attachments like logs, you need to paste them in the mail.

Another ISP does accept attachments, but does not know how to handle .gz's.

The real problem with the ISP's is, that most of them are hosters, and the way they work is that they in most cases forward the abuse report towards the client, but do not further care about it, they do however keep a score and probably warn the user if the score gets too high. Issue is in this case that in most cases the kiddies use that specific host to ddos a single host, and not multiples, so the hoster only gets one or two mails, and thus the score remains low. So much about their stupidity.

Add your own comment

Your name
Captcha
Your comment
You can use markdown syntax here for formatting.