[Dshield] monkeys.com UPL being DDOSed to death

Doug White doug at clickdoug.com
Wed Sep 24 14:57:18 GMT 2003

I would be willing to dedicate the hardware and bandwidth for one of the
servers, but I would need some help in setting it up.
O/S and DB software is not a problem- whatever is needed, I can make it
I hope this will get things started.

Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "Al Reust" <areust at comcast.net>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Wednesday, September 24, 2003 12:39 AM
Subject: Re: [Dshield] monkeys.com UPL being DDOSed to death

| Hello All
| It has been a Long Computing week, is it Friday yet? I am going to point
| out some things that are food for thought. It may be a bit disjointed,
| please take the time to read and then think about how it can be done!
| Please do not let Blockers stand in the way they just need to be
| identified. We all know that "you/we" find a way to get around them anyway.
| Maybe I am a rabble rouser, but if there were more distributed servers then
| that would mean more "particular" networks would be under distress not a
| single one. This would also mean that more "providers" would be under the
| gun to stop the attacks. Meaning various NOC's would shut down the threat,
| as quickly as possible. More "Big Money" would put pressure where it belongs.
| Simple, More Big Voices equal More Power.
| So if the distributions were based in as many networks as possible with a
| minimum level of hardware and communications. It could work. Win 2K was
| designed to communicate directory changes across a 33.6K modem connection.
| It only propagates changes.
| Other things that would be necessary would be a common list of NOC access
| points and who to call/email. This also could be coordinated. While it
| might not totally make the attack useless, it would distribute it across
| many networks and still be able to maintain some functionality.
| A fairly Solid Win2K box would do and then import the DNS files.. Then
| setup a transfer of the database and then bring it live, most could be
| scripted. Yes I know that there are a lot of Unix people ( I have been
| forced to live in the Wn32 world for the last 4 years) and that can also be
| scripted. The big idea and the hard part would be the load balancing.
| Imagine a 1,000 plus machines on something as simple as a Broadband
| connection. Incoming is More open,  it is then distributed "locally" that
| means less requests getting into the larger network. To an extent that was
| the purpose of BGP4.  At a point in time (ideal) larger networks could host
| it at the routing point which means they offload more traffic for better
| utilization of their resources. It makes Sense but takes time to mechanize.
| So someone smaller starting it, so they can easily make the transition as
| it makes more sense.
| So if Seti can do it "distributed computing" then there are ways to make
| this work. Then, Proof that email marketers are the cause would open new
| verifiable News Stories..
| Some us of that could meet the hardware level, network connectivity and
| Software requirements; would volunteer for a period of time. Depending on
| the income to support basic costs other would be in for the long haul.
| So while this looks Grim, planning to insure that a single attack can not
| disrupt this kind of service becomes more important.
| The other side benefit would be that "we" know thousands of home users
| computers are used for this type of attack. The more that can be identified
| and taken off the network the overall health of the network improves. Yes
| we know that ISP's would prefer to ignore a single box that is under
| "Black" control. Knock it Offline and the problem is solved until next
| time. It all comes back to education and training. During the MSBlaster
| Series I talked with 4 people that thought the McAffee 4.x Cd protected
| their computer.. When I pointed out that McAffee (and Symantec, et al) no
| longer support those older versions and You have to Upgrade. Realistically
| some of those "people" that paid money to some computer repair shop to put
| the basic OS back and then not patch it. The Users does not understand,
| they paid money to fix a problem (or thought the problem was fixed). They
| are now open candidates for the next round.. So the first step in education
| is telling all those that ask a you question about their home machines.
| Take time to inform them, and they then tell their friends. If a Web page
| explains in simple terms then they can send the link to friends. It then
| becomes People helping People.. Word of Mouth advertising.
| Yes I also know a lot of System Administrators that think it is not a
| Problem until it happens to them. I also know they do not have time or
| resources to test what they should be updating. yes this a Large Problem
| If someone has time to create the web pages to explain this, I will
| advertise them on My web site, send them to 7 Security Managers, 5 CIO's,
| several Security Engineers, several System Administrators and a couple of
| contacts in Microsoft/Dell Fed Sector, last but not least 59 independent
| users to start spreading the information. I will even Mirror with proper
| credits the originals. As this is started I am sure that many others (that
| You also) can touch hundreds of people. Those Hundreds touch thousands. All
| that is needed is one person, to write information in a form that a User
| can understand. Then this August Group support it.  I know that we all can
| touch several thousand(s) Internet Users. End of Statement! How many people
| can they Touch?
| Yes we have been at the "disadvantage," it is now time to start turning the
| tables. It should be based on common sen$e.
| Scrap as I put the soap box away.
| Al
| At 06:41 PM 9/23/2003 -0400, you wrote:
| >John Hardin wrote:
| > >
| > > On Tue, 2003-09-23 at 13:48, Jon R. Kibler wrote:
| > > > Greetings to all:
| > > >
| > > > I have some really sad news. I just got off the telephone with Ron
| > > > Guilmette who runs the monkeys.com Unsecured Proxies List DNSBL. I
| > > > hate to say it, but monkeys.com has been killed. It has been DDOSed to
| > > > death.
| > > >
| > > > This makes two DNSBLs that have been DDOSed to death recently. Which
| > > > one is next? NJABL? ORDB?
| > >
| > > There has to be a way to eliminate the single-point-of-failure here.
| > >
| > > What if the community sets up a distributed DNS net to serve the DNSRBL
| > > data? The root server could distribute updates only to secondaries that
| > > have registered. If there were several hundred secondaries then the zone
| > > would be harder to kill.
| > >
| > > How many DNS secondaries can one zone be served by?
| > >
| > > I know there are commercial services that provide this. How difficult
| > > would it be to set up and manage by a community?
| >
| >
| >I talked to Ron about this type of an idea. The problem is not so much a
| >single point of failure as it is the massiveness of the attack. If you
| >have several thousand attackers against one database, having 40 replicates
| >would not do much to thwart an attack of that scale.
| >
| >There are also the problems of distributing the reporting and testing, and
| >keeping all of that coordinated and in sync.
| >
| >I am not saying it can't be done... in fact, I would like to see it be
| >done... the only question is how to do it in a reasonable manner, pay for
| >it, etc.
| >
| >Jon Kibler
| >
| >
| >
| >
| >==================================================
| >Filtered by: TRUSTEM.COM's Email Filtering Service
| >http://www.trustem.com/
| >No Spam. No Viruses. Just Good Clean Email.
| >
| >_______________________________________________
| >list mailing list
| >list at dshield.org
| >To change your subscription options (or unsubscribe), see:
| >http://www.dshield.org/mailman/listinfo/list
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:

More information about the list mailing list