[Dshield] monkeys.com UPL being DDOSed to death

Al Reust areust at comcast.net
Wed Sep 24 05:39:34 GMT 2003


Hello All

It has been a Long Computing week, is it Friday yet? I am going to point 
out some things that are food for thought. It may be a bit disjointed, 
please take the time to read and then think about how it can be done! 
Please do not let Blockers stand in the way they just need to be 
identified. We all know that "you/we" find a way to get around them anyway.

Maybe I am a rabble rouser, but if there were more distributed servers then 
that would mean more "particular" networks would be under distress not a 
single one. This would also mean that more "providers" would be under the 
gun to stop the attacks. Meaning various NOC's would shut down the threat, 
as quickly as possible. More "Big Money" would put pressure where it belongs.

Simple, More Big Voices equal More Power.

So if the distributions were based in as many networks as possible with a 
minimum level of hardware and communications. It could work. Win 2K was 
designed to communicate directory changes across a 33.6K modem connection. 
It only propagates changes.

Other things that would be necessary would be a common list of NOC access 
points and who to call/email. This also could be coordinated. While it 
might not totally make the attack useless, it would distribute it across 
many networks and still be able to maintain some functionality.

A fairly Solid Win2K box would do and then import the DNS files.. Then 
setup a transfer of the database and then bring it live, most could be 
scripted. Yes I know that there are a lot of Unix people ( I have been 
forced to live in the Wn32 world for the last 4 years) and that can also be 
scripted. The big idea and the hard part would be the load balancing. 
Imagine a 1,000 plus machines on something as simple as a Broadband 
connection. Incoming is More open,  it is then distributed "locally" that 
means less requests getting into the larger network. To an extent that was 
the purpose of BGP4.  At a point in time (ideal) larger networks could host 
it at the routing point which means they offload more traffic for better 
utilization of their resources. It makes Sense but takes time to mechanize. 
So someone smaller starting it, so they can easily make the transition as 
it makes more sense.

So if Seti can do it "distributed computing" then there are ways to make 
this work. Then, Proof that email marketers are the cause would open new 
verifiable News Stories..

Some us of that could meet the hardware level, network connectivity and 
Software requirements; would volunteer for a period of time. Depending on 
the income to support basic costs other would be in for the long haul.

So while this looks Grim, planning to insure that a single attack can not 
disrupt this kind of service becomes more important.

The other side benefit would be that "we" know thousands of home users 
computers are used for this type of attack. The more that can be identified 
and taken off the network the overall health of the network improves. Yes 
we know that ISP's would prefer to ignore a single box that is under 
"Black" control. Knock it Offline and the problem is solved until next 
time. It all comes back to education and training. During the MSBlaster 
Series I talked with 4 people that thought the McAffee 4.x Cd protected 
their computer.. When I pointed out that McAffee (and Symantec, et al) no 
longer support those older versions and You have to Upgrade. Realistically 
some of those "people" that paid money to some computer repair shop to put 
the basic OS back and then not patch it. The Users does not understand, 
they paid money to fix a problem (or thought the problem was fixed). They 
are now open candidates for the next round.. So the first step in education 
is telling all those that ask a you question about their home machines. 
Take time to inform them, and they then tell their friends. If a Web page 
explains in simple terms then they can send the link to friends. It then 
becomes People helping People.. Word of Mouth advertising.

Yes I also know a lot of System Administrators that think it is not a 
Problem until it happens to them. I also know they do not have time or 
resources to test what they should be updating. yes this a Large Problem

If someone has time to create the web pages to explain this, I will 
advertise them on My web site, send them to 7 Security Managers, 5 CIO's, 
several Security Engineers, several System Administrators and a couple of 
contacts in Microsoft/Dell Fed Sector, last but not least 59 independent 
users to start spreading the information. I will even Mirror with proper 
credits the originals. As this is started I am sure that many others (that 
You also) can touch hundreds of people. Those Hundreds touch thousands. All 
that is needed is one person, to write information in a form that a User 
can understand. Then this August Group support it.  I know that we all can 
touch several thousand(s) Internet Users. End of Statement! How many people 
can they Touch?

Yes we have been at the "disadvantage," it is now time to start turning the 
tables. It should be based on common sen$e.

Scrap as I put the soap box away.

Al



At 06:41 PM 9/23/2003 -0400, you wrote:
>John Hardin wrote:
> >
> > On Tue, 2003-09-23 at 13:48, Jon R. Kibler wrote:
> > > Greetings to all:
> > >
> > > I have some really sad news. I just got off the telephone with Ron
> > > Guilmette who runs the monkeys.com Unsecured Proxies List DNSBL. I
> > > hate to say it, but monkeys.com has been killed. It has been DDOSed to
> > > death.
> > >
> > > This makes two DNSBLs that have been DDOSed to death recently. Which
> > > one is next? NJABL? ORDB?
> >
> > There has to be a way to eliminate the single-point-of-failure here.
> >
> > What if the community sets up a distributed DNS net to serve the DNSRBL
> > data? The root server could distribute updates only to secondaries that
> > have registered. If there were several hundred secondaries then the zone
> > would be harder to kill.
> >
> > How many DNS secondaries can one zone be served by?
> >
> > I know there are commercial services that provide this. How difficult
> > would it be to set up and manage by a community?
>
>
>I talked to Ron about this type of an idea. The problem is not so much a 
>single point of failure as it is the massiveness of the attack. If you 
>have several thousand attackers against one database, having 40 replicates 
>would not do much to thwart an attack of that scale.
>
>There are also the problems of distributing the reporting and testing, and 
>keeping all of that coordinated and in sync.
>
>I am not saying it can't be done... in fact, I would like to see it be 
>done... the only question is how to do it in a reasonable manner, pay for 
>it, etc.
>
>Jon Kibler
>
>
>
>
>==================================================
>Filtered by: TRUSTEM.COM's Email Filtering Service
>http://www.trustem.com/
>No Spam. No Viruses. Just Good Clean Email.
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list