[Dshield] monkeys.com UPL being DDOSed to death

Mike Beattie webmaster at erthdra.com
Wed Sep 24 16:30:19 GMT 2003


I would certainly be willing to help too.
I have a small network with a 3 meg connection (http,smtp,dns etc)

-----Original Message-----
From: Brenden Walker [mailto:BKWalker at drbsystems.com]
Sent: Wednesday, September 24, 2003 11:44 AM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] monkeys.com UPL being DDOSed to death


Same here, I'm just a small time Linux server admin (web, ftp, internal
pop/imap..etc) behing a cable modem.. But perhaps I could provide some level
of service for this.

> -----Original Message-----
> From: DAN MORRILL [mailto:dan_20407 at msn.com] 
> Sent: Wednesday, September 24, 2003 11:07 AM
> To: list at dshield.org
> Subject: Re: [Dshield] monkeys.com UPL being DDOSed to death
> 
> 
> 
> 
> I would happily give up some of the horse power I have to do 
> a good thing 
> for the community. Since I already have done this, especially on a 
> distributed IDS net using DSL Customers and Broadband 
> customers, I could 
> mirror anything.
> 
> The only problem I would have, is if I go down due to a DDOS, 
> then I have an 
> issue. Or the other issue would be will it violate my terms 
> of service from 
> Qwest? I'll check. If it will help, and will work, then I am there.
> 
> R/
> Dan Morrill
> CTO Oak Tree Infosec
> 
> 
> 
> >From: Al Reust <areust at comcast.net>
> >Reply-To: General DShield Discussion List <list at dshield.org>
> >To: General DShield Discussion List <list at dshield.org>
> >Subject: Re: [Dshield] monkeys.com UPL being DDOSed to death
> >Date: Tue, 23 Sep 2003 22:39:34 -0700
> >
> >Hello All
> >
> >It has been a Long Computing week, is it Friday yet? I am going to 
> >point
> >out some things that are food for thought. It may be a bit 
> disjointed, 
> >please take the time to read and then think about how it can 
> be done! 
> >Please do not let Blockers stand in the way they just need to be 
> >identified. We all know that "you/we" find a way to get 
> around them anyway.
> >
> >Maybe I am a rabble rouser, but if there were more 
> distributed servers 
> >then
> >that would mean more "particular" networks would be under 
> distress not a 
> >single one. This would also mean that more "providers" would 
> be under the 
> >gun to stop the attacks. Meaning various NOC's would shut 
> down the threat, 
> >as quickly as possible. More "Big Money" would put pressure where it 
> >belongs.
> >
> >Simple, More Big Voices equal More Power.
> >
> >So if the distributions were based in as many networks as 
> possible with 
> >a
> >minimum level of hardware and communications. It could work. 
> Win 2K was 
> >designed to communicate directory changes across a 33.6K 
> modem connection. 
> >It only propagates changes.
> >
> >Other things that would be necessary would be a common list of NOC 
> >access
> >points and who to call/email. This also could be 
> coordinated. While it 
> >might not totally make the attack useless, it would 
> distribute it across 
> >many networks and still be able to maintain some functionality.
> >
> >A fairly Solid Win2K box would do and then import the DNS 
> files.. Then
> >setup a transfer of the database and then bring it live, 
> most could be 
> >scripted. Yes I know that there are a lot of Unix people ( I 
> have been 
> >forced to live in the Wn32 world for the last 4 years) and 
> that can also be 
> >scripted. The big idea and the hard part would be the load 
> balancing. 
> >Imagine a 1,000 plus machines on something as simple as a Broadband 
> >connection. Incoming is More open,  it is then distributed 
> "locally" that 
> >means less requests getting into the larger network. To an 
> extent that was 
> >the purpose of BGP4.  At a point in time (ideal) larger 
> networks could host 
> >it at the routing point which means they offload more 
> traffic for better 
> >utilization of their resources. It makes Sense but takes 
> time to mechanize. 
> >So someone smaller starting it, so they can easily make the 
> transition as 
> >it makes more sense.
> >
> >So if Seti can do it "distributed computing" then there are ways to 
> >make
> >this work. Then, Proof that email marketers are the cause 
> would open new 
> >verifiable News Stories..
> >
> >Some us of that could meet the hardware level, network 
> connectivity and
> >Software requirements; would volunteer for a period of time. 
> Depending on 
> >the income to support basic costs other would be in for the 
> long haul.
> >
> >So while this looks Grim, planning to insure that a single 
> attack can 
> >not
> >disrupt this kind of service becomes more important.
> >
> >The other side benefit would be that "we" know thousands of 
> home users
> >computers are used for this type of attack. The more that 
> can be identified 
> >and taken off the network the overall health of the network 
> improves. Yes 
> >we know that ISP's would prefer to ignore a single box that is under 
> >"Black" control. Knock it Offline and the problem is solved 
> until next 
> >time. It all comes back to education and training. During 
> the MSBlaster 
> >Series I talked with 4 people that thought the McAffee 4.x 
> Cd protected 
> >their computer.. When I pointed out that McAffee (and 
> Symantec, et al) no 
> >longer support those older versions and You have to Upgrade. 
> Realistically 
> >some of those "people" that paid money to some computer 
> repair shop to put 
> >the basic OS back and then not patch it. The Users does not 
> understand, 
> >they paid money to fix a problem (or thought the problem was 
> fixed). They 
> >are now open candidates for the next round.. So the first 
> step in education 
> >is telling all those that ask a you question about their 
> home machines. 
> >Take time to inform them, and they then tell their friends. 
> If a Web page 
> >explains in simple terms then they can send the link to 
> friends. It then 
> >becomes People helping People.. Word of Mouth advertising.
> >
> >Yes I also know a lot of System Administrators that think it is not a
> >Problem until it happens to them. I also know they do not 
> have time or 
> >resources to test what they should be updating. yes this a 
> Large Problem
> >
> >If someone has time to create the web pages to explain this, I will
> >advertise them on My web site, send them to 7 Security 
> Managers, 5 CIO's, 
> >several Security Engineers, several System Administrators 
> and a couple of 
> >contacts in Microsoft/Dell Fed Sector, last but not least 59 
> independent 
> >users to start spreading the information. I will even Mirror 
> with proper 
> >credits the originals. As this is started I am sure that 
> many others (that 
> >You also) can touch hundreds of people. Those Hundreds touch 
> thousands. All 
> >that is needed is one person, to write information in a form 
> that a User 
> >can understand. Then this August Group support it.  I know 
> that we all can 
> >touch several thousand(s) Internet Users. End of Statement! 
> How many people 
> >can they Touch?
> >
> >Yes we have been at the "disadvantage," it is now time to 
> start turning 
> >the
> >tables. It should be based on common sen$e.
> >
> >Scrap as I put the soap box away.
> >
> >Al
> >
> >
> >
> >At 06:41 PM 9/23/2003 -0400, you wrote:
> >>John Hardin wrote:
> >> >
> >> > On Tue, 2003-09-23 at 13:48, Jon R. Kibler wrote:
> >> > > Greetings to all:
> >> > >
> >> > > I have some really sad news. I just got off the telephone with 
> >> > > Ron Guilmette who runs the monkeys.com Unsecured Proxies List 
> >> > > DNSBL. I hate to say it, but monkeys.com has been 
> killed. It has 
> >> > > been DDOSed
> >>to
> >> > > death.
> >> > >
> >> > > This makes two DNSBLs that have been DDOSed to death recently. 
> >> > > Which one is next? NJABL? ORDB?
> >> >
> >> > There has to be a way to eliminate the single-point-of-failure 
> >> > here.
> >> >
> >> > What if the community sets up a distributed DNS net to serve the 
> >> > DNSRBL data? The root server could distribute updates only to 
> >> > secondaries that have registered. If there were several hundred 
> >> > secondaries then the
> >>zone
> >> > would be harder to kill.
> >> >
> >> > How many DNS secondaries can one zone be served by?
> >> >
> >> > I know there are commercial services that provide this. How 
> >> > difficult would it be to set up and manage by a community?
> >>
> >>
> >>I talked to Ron about this type of an idea. The problem is 
> not so much 
> >>a
> >>single point of failure as it is the massiveness of the 
> attack. If you 
> >>have several thousand attackers against one database, 
> having 40 replicates 
> >>would not do much to thwart an attack of that scale.
> >>
> >>There are also the problems of distributing the reporting 
> and testing, 
> >>and
> >>keeping all of that coordinated and in sync.
> >>
> >>I am not saying it can't be done... in fact, I would like 
> to see it be
> >>done... the only question is how to do it in a reasonable 
> manner, pay for 
> >>it, etc.
> >>
> >>Jon Kibler
> >>
> >>
> >>
> >>
> >>==================================================
> >>Filtered by: TRUSTEM.COM's Email Filtering Service 
> >>http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
> >>
> >>_______________________________________________
> >>list mailing list
> >>list at dshield.org
> >>To change your subscription options (or unsubscribe), see:
> >>http://www.dshield.org/mailman/listinfo/list
> >
> >_______________________________________________
> >list mailing list
> >list at dshield.org
> >To change your subscription options (or unsubscribe), see:
> >http://www.dshield.org/mailman/listinfo/list
> 
> _________________________________________________________________
> Share your photos without swamping your Inbox.  Get Hotmail 
> Extra Storage 
> today! http://join.msn.com/?PAGE=features/es
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list