[Dshield] monkeys.com UPL being DDOSed to death

DAN MORRILL dan_20407 at msn.com
Wed Sep 24 15:06:40 GMT 2003

I would happily give up some of the horse power I have to do a good thing 
for the community. Since I already have done this, especially on a 
distributed IDS net using DSL Customers and Broadband customers, I could 
mirror anything.

The only problem I would have, is if I go down due to a DDOS, then I have an 
issue. Or the other issue would be will it violate my terms of service from 
Qwest? I'll check. If it will help, and will work, then I am there.

Dan Morrill
CTO Oak Tree Infosec

>From: Al Reust <areust at comcast.net>
>Reply-To: General DShield Discussion List <list at dshield.org>
>To: General DShield Discussion List <list at dshield.org>
>Subject: Re: [Dshield] monkeys.com UPL being DDOSed to death
>Date: Tue, 23 Sep 2003 22:39:34 -0700
>Hello All
>It has been a Long Computing week, is it Friday yet? I am going to point 
>out some things that are food for thought. It may be a bit disjointed, 
>please take the time to read and then think about how it can be done! 
>Please do not let Blockers stand in the way they just need to be 
>identified. We all know that "you/we" find a way to get around them anyway.
>Maybe I am a rabble rouser, but if there were more distributed servers then 
>that would mean more "particular" networks would be under distress not a 
>single one. This would also mean that more "providers" would be under the 
>gun to stop the attacks. Meaning various NOC's would shut down the threat, 
>as quickly as possible. More "Big Money" would put pressure where it 
>Simple, More Big Voices equal More Power.
>So if the distributions were based in as many networks as possible with a 
>minimum level of hardware and communications. It could work. Win 2K was 
>designed to communicate directory changes across a 33.6K modem connection. 
>It only propagates changes.
>Other things that would be necessary would be a common list of NOC access 
>points and who to call/email. This also could be coordinated. While it 
>might not totally make the attack useless, it would distribute it across 
>many networks and still be able to maintain some functionality.
>A fairly Solid Win2K box would do and then import the DNS files.. Then 
>setup a transfer of the database and then bring it live, most could be 
>scripted. Yes I know that there are a lot of Unix people ( I have been 
>forced to live in the Wn32 world for the last 4 years) and that can also be 
>scripted. The big idea and the hard part would be the load balancing. 
>Imagine a 1,000 plus machines on something as simple as a Broadband 
>connection. Incoming is More open,  it is then distributed "locally" that 
>means less requests getting into the larger network. To an extent that was 
>the purpose of BGP4.  At a point in time (ideal) larger networks could host 
>it at the routing point which means they offload more traffic for better 
>utilization of their resources. It makes Sense but takes time to mechanize. 
>So someone smaller starting it, so they can easily make the transition as 
>it makes more sense.
>So if Seti can do it "distributed computing" then there are ways to make 
>this work. Then, Proof that email marketers are the cause would open new 
>verifiable News Stories..
>Some us of that could meet the hardware level, network connectivity and 
>Software requirements; would volunteer for a period of time. Depending on 
>the income to support basic costs other would be in for the long haul.
>So while this looks Grim, planning to insure that a single attack can not 
>disrupt this kind of service becomes more important.
>The other side benefit would be that "we" know thousands of home users 
>computers are used for this type of attack. The more that can be identified 
>and taken off the network the overall health of the network improves. Yes 
>we know that ISP's would prefer to ignore a single box that is under 
>"Black" control. Knock it Offline and the problem is solved until next 
>time. It all comes back to education and training. During the MSBlaster 
>Series I talked with 4 people that thought the McAffee 4.x Cd protected 
>their computer.. When I pointed out that McAffee (and Symantec, et al) no 
>longer support those older versions and You have to Upgrade. Realistically 
>some of those "people" that paid money to some computer repair shop to put 
>the basic OS back and then not patch it. The Users does not understand, 
>they paid money to fix a problem (or thought the problem was fixed). They 
>are now open candidates for the next round.. So the first step in education 
>is telling all those that ask a you question about their home machines. 
>Take time to inform them, and they then tell their friends. If a Web page 
>explains in simple terms then they can send the link to friends. It then 
>becomes People helping People.. Word of Mouth advertising.
>Yes I also know a lot of System Administrators that think it is not a 
>Problem until it happens to them. I also know they do not have time or 
>resources to test what they should be updating. yes this a Large Problem
>If someone has time to create the web pages to explain this, I will 
>advertise them on My web site, send them to 7 Security Managers, 5 CIO's, 
>several Security Engineers, several System Administrators and a couple of 
>contacts in Microsoft/Dell Fed Sector, last but not least 59 independent 
>users to start spreading the information. I will even Mirror with proper 
>credits the originals. As this is started I am sure that many others (that 
>You also) can touch hundreds of people. Those Hundreds touch thousands. All 
>that is needed is one person, to write information in a form that a User 
>can understand. Then this August Group support it.  I know that we all can 
>touch several thousand(s) Internet Users. End of Statement! How many people 
>can they Touch?
>Yes we have been at the "disadvantage," it is now time to start turning the 
>tables. It should be based on common sen$e.
>Scrap as I put the soap box away.
>At 06:41 PM 9/23/2003 -0400, you wrote:
>>John Hardin wrote:
>> >
>> > On Tue, 2003-09-23 at 13:48, Jon R. Kibler wrote:
>> > > Greetings to all:
>> > >
>> > > I have some really sad news. I just got off the telephone with Ron
>> > > Guilmette who runs the monkeys.com Unsecured Proxies List DNSBL. I
>> > > hate to say it, but monkeys.com has been killed. It has been DDOSed 
>> > > death.
>> > >
>> > > This makes two DNSBLs that have been DDOSed to death recently. Which
>> > > one is next? NJABL? ORDB?
>> >
>> > There has to be a way to eliminate the single-point-of-failure here.
>> >
>> > What if the community sets up a distributed DNS net to serve the DNSRBL
>> > data? The root server could distribute updates only to secondaries that
>> > have registered. If there were several hundred secondaries then the 
>> > would be harder to kill.
>> >
>> > How many DNS secondaries can one zone be served by?
>> >
>> > I know there are commercial services that provide this. How difficult
>> > would it be to set up and manage by a community?
>>I talked to Ron about this type of an idea. The problem is not so much a 
>>single point of failure as it is the massiveness of the attack. If you 
>>have several thousand attackers against one database, having 40 replicates 
>>would not do much to thwart an attack of that scale.
>>There are also the problems of distributing the reporting and testing, and 
>>keeping all of that coordinated and in sync.
>>I am not saying it can't be done... in fact, I would like to see it be 
>>done... the only question is how to do it in a reasonable manner, pay for 
>>it, etc.
>>Jon Kibler
>>Filtered by: TRUSTEM.COM's Email Filtering Service
>>No Spam. No Viruses. Just Good Clean Email.
>>list mailing list
>>list at dshield.org
>>To change your subscription options (or unsubscribe), see: 
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

Share your photos without swamping your Inbox.  Get Hotmail Extra Storage 
today! http://join.msn.com/?PAGE=features/es

More information about the list mailing list