[OT somewhat] DDOS attacks, where to report?

[OT somewhat] DDOS attacks, where to report?

shimi linux-il at shimi.net
Sat Jan 26 22:09:28 IST 2013 

On Sat, Jan 26, 2013 at 8:52 PM, Jonathan Ben Avraham <yba at tkos.co.il>wrote:

> Hi Shimi,
> You are suggesting that there is no recourse to DDOS attacks, that
> Israelis are fair game for foreign attacks and it is no one's business
> except for the victim.
>

Hi Jonathan,

Yes, I believe that's the situation. Don't confuse my response with 'what
should be', rather than 'what will happen'.

I'll give you some story - and while this is merely _one_ example, and
while one may not conclude from a single occasion to any other event in
life - I have yet to have heard in the media for an opposite case[*] - so I
*suspect* that is the norm.

Here's the story.

As part of both my professional (for pay) and hobby (free) work, I run
servers on the Internet, just like your friend.

Many years ago (almost a decade), someone defaced a site I did the IT for.
He didn't get in by cracking through the OS / webserver stack. It was a
'shelf-product' that ran the site, and that product had bugs. Pretty much
written by a lousy programmer, and there wasn't much to do about that -
code reviewing everything didn't make sense, given the size of this and the
resources we had as a free website (part of the reason the platform was
dumped eventually).

Now, since only the specific application was sabotaged, there weren't
issues of privilege escalations etc, so we had server logs. We found the
relevant entries that caused the crack, learned what the attacker did,
found the relevant Perl code bug, closed it, and then restored a backup.

Funny thing, the IP address of the attacker was one from Netvision's static
pool. To save future headache (assuming the guy will find more bugs), an
iptables (or was it ipchains back then? I don't remember) rule was added to
block this IP. Then, after a 'view' command for iptables - it did the
natural thing and showed the reverse DNS of that IP. Apparently, Netvision
on many occasions set reverse DNS for fixed IPs to the name of the
customer. So I knew who was the customer. It had been a competitor of the
cracked website.

A copy of all the logs, with an explanation what was done, how it was then,
when, from where, THE IDENTITY OF THE ATTACKER, were all compiled to a long
complaint which was filed with our Israeli Police.

A couple of weeks later, the police sent the site owner a letter, telling
him that the case is closed, due to "the lack of interest by the public".

This is for something that happened completely in Israel, where they had
the suspect handed to them on a plate of silver, and they did nothing.

This is why I wouldn't hold my breath...

[*] Exceptions I have seen were PR could be generated.

Such as the Trojan Horse story:
http://www.ynet.co.il/home/0,7340,L-3439,00.html

...or when the DoS is directed at the Government or one of its
sub-organizations...

Does your friend's case constitute one of the above?



> The ISP does need to "suffer" in this case, in that the ISP has allowed an
> act of war to be committed through his service. I see little difference
> between this and the cab drivers who transport illegal workers from the
> Palestinian territories to jobs in Israel. We require the drivers to take
> some responsibility for whom they transport.
>
>
Going to take someone from a forbidden territory is not the same like being
a transparent transit for something. They're not willingly doing that!
Believe me, if there would be a "block DDoS" command on every route out
there, EVERYONE would enable it. But this requires effort. Sometimes a lot
of it. Sometimes beyond the capability of the ISP, simply because the vast
amounts of traffic crossing their links, due to that customer. Even if you
drop the traffic at your border, you still wasted International bandwidth
for it, a scarce resource as it is...


I am suggesting that ISP's be charged with some level responsibility for
> investigating and reporting these attacks. That's in the national interest.
> I suspect that in the cases of large institutions, even non-governmental
> institutions such as banks, that  there is in fact some national response,
> but that this protection is not currently extended to smaller players. If a
> rocket hit's your home you get some protection at the national level. If a
> DDOS attack from a hostile government attacks your business, it's not in
> the national interest to provide some level of protection?
>
>
>
Do you know a law that tells them they should do so at a discretion of the
customer? If not, there's nothing much you can do. ISPs live on very low
margins in the hosting business (for the best of my knowledge...) - what
interest do they have to spend their dollars on a customer that just causes
them trouble? (Seems most websites don't get DDoSed... there are reasons
why people get DDoSed...)

Of course, he can go for a court order (maybe through police). Let's say he
has the IPs in China, Arab countries etc etc of the attackers. What's next?
How will you stop the DDoS? Mind you, the DDoS comes from infected
computers, and you'll NOT find the source anyways. So, the DDoS will
continue, if the attacker so wishes. This problem will not be gone before
the era that vast majority of computers are secure... and while Microsoft
promised us that with Windows 7... you know, that had not quite had an
effect, it appears.

-- Shimi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20130126/d31c3332/attachment.html>

More information about the Linux-il mailing list