Forgot your password?
typodupeerror
Networking Security Technology

You're Being DDOSed — What Do You Do? Name and Shame? 336

Posted by Soulskill
from the stop-drop-and-roll-doesn't-work dept.
badger.foo writes "When you're hit with a DDOS, what do you do? In his most recent column, Peter Hansteen narrates a recent incident that involved a DNS based DDOS against his infrastructure and that of some old friends of his. He ends up asking: should we actively publish or 'name and shame' DDOS participants (or at least their IP addresses)? How about scans that may or may not be preparations for DDOSes to come?"
This discussion has been archived. No new comments can be posted.

You're Being DDOSed — What Do You Do? Name and Shame?

Comments Filter:
  • No (Score:5, Interesting)

    by Anonymous Coward on Tuesday December 25, 2012 @06:49PM (#42390583)

    The only reason you can possibly have for publishing the IP addresses is to provoke vigilante justice type of actions, likely counter ddos or something.
    What you should do is report him to the abuse department of his ISP. Note the responses of the ISP's and name and shame the ISP's that do not take action.
    IP addresses from bad ISP's should end up on a "botnet-friendly ip list" so we can start blocking the traffic from these isp's.

  • by stevegee58 (1179505) on Tuesday December 25, 2012 @06:58PM (#42390637) Journal
    1) It's DISTRIBUTED. You'd have to name and shame thousands.
    2) Many of the DDOS nodes don't know they're being hijacked for a DDOS. Name and shame an innocent person?
  • It's a first step (Score:5, Interesting)

    by bill_mcgonigle (4333) * on Tuesday December 25, 2012 @07:16PM (#42390725) Homepage Journal

    Eventually we should have a reputation-based distributed admin function for the Internet. If a dozen high-rated NetOps guys all sign messages that say that a given IP is spewing DDoS traffic, the infrastructure should permit a block without the owning admin having to deal with it proactively.

    If a network doesn't participate, that could play into trust levels. If an admin screws up, he loses reputation. If an admin tends to advertise YouTube routes into Pakistan, he never gets a good reputation in the first place.

    As usual, it's all trade-offs and we don't yet have an extensible crypto-reputation system, so one thing at a time.

    To the original question - it's probably not going to do much good, but it's good to cultivate such expectations.

  • by Frater 219 (1455) on Tuesday December 25, 2012 @07:42PM (#42390849) Journal

    Sites under DoS attack should publish (through a channel not congested by the attack) a list of the IP addresses attacking them, through some trustworthy third party. Then, other sites should subscribe to that list and refuse service to those addresses until they clean up and stop attacking.

    For instance, consider your uncle who uses AOL. His computer is infected with botnet garbage and is participating in a DoS attack against (say) Slashdot. Slashdot sends a list of attacking IPs, including your uncle's, to Team Cymru (the third party). Cymru aggregates these and publishes a list, updated every three hours. AOL subscribes to that list. When your uncle goes to check his AOL email, he gets an error: "We regret to inform you, your computer has been hacked, and is being used by criminals to break the Internet. You can't get to your AOL email until you kick the criminals off by installing an antivirus program and running a full scan. Click here to install Kaspersky Antivirus for free. Thank you for helping keep criminals from breaking everyone's Internet. Sincerely, Tim Armstrong, CEO, AOL."

    Then your uncle gets mad and calls up AOL and complains. They try walking him through using the antivirus program, but he just curses them out and says he'll go to Hotmail instead. He tries ... but Hotmail also subscribes to the same list and tells him the same thing: "Your computer is infected with malware and is being used to attack other sites on the Internet. You cannot obtain a Hotmail account until your computer is clean. Click here to install Microsoft Antivirus." He gives up and calls AOL back, and they help him get his computer cleaned up. Within half an hour, it's off the botnet; and within three hours, it's off the list of attacking hosts, and your uncle can get his AOL email again.

  • by Gumbercules!! (1158841) on Tuesday December 25, 2012 @09:27PM (#42391409)
    We got DDOS'd a while ago in our data centre. It turns out an ex employee we let go (performance related) paid (yes, actually paid) some people in German (we're in Australia) to fire off a DDOS against our servers from where ever their bots were.. Our upstream net provider blocked it for us. Yes: 1000's of IPs - because they used ICMP flooding - so they blocked ICMP traffic to us, upstream. Something we couldn't do ourselves but the ISP could do for us.

    So it's not such a stupid suggestion at all. Of course, had they all launched port 80 TCP connections against us, yes, we would have been in serious trouble but I suppose we could have asked them to block non-Australian traffic for the day or until it stopped - overseas traffic is really not a big deal for us.

    And for the record, the guy who kicked the whole thing off, we didn't bother to press charges, even though he bragged about it on Facebook (without first unfriending me, the idiot) because, thanks to the ISP, his efforts largely failed and we got some revenge when he tried to use us as a reference (and we were his only employers, so far).

"Marriage is low down, but you spend the rest of your life paying for it." -- Baskins

Working...