<div dir="ltr"><div class="gmail_quote">On Sat, Jan 26, 2013 at 8:52 PM, Jonathan Ben Avraham <span dir="ltr"><<a href="mailto:yba@tkos.co.il" target="_blank">yba@tkos.co.il</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Shimi,<br>
You are suggesting that there is no recourse to DDOS attacks, that Israelis are fair game for foreign attacks and it is no one's business except for the victim.<br></blockquote><div><br>Hi Jonathan,<br><br>Yes, I believe that's the situation. Don't confuse my response with 'what should be', rather than 'what will happen'.<br>
<br>I'll give you some story - and while this is merely _one_ example, and while one may not conclude from a single occasion to any other event in life - I have yet to have heard in the media for an opposite case[*] - so I *suspect* that is the norm.<br>
<br>Here's the story.<br><br>As part of both my professional (for pay) and hobby (free) work, I run servers on the Internet, just like your friend.<br><br>Many years ago (almost a decade), someone defaced a site I did the IT for. He didn't get in by cracking through the OS / webserver stack. It was a 'shelf-product' that ran the site, and that product had bugs. Pretty much written by a lousy programmer, and there wasn't much to do about that - code reviewing everything didn't make sense, given the size of this and the resources we had as a free website (part of the reason the platform was dumped eventually).<br>
<br>Now, since only the specific application was sabotaged, there weren't issues of privilege escalations etc, so we had server logs. We found the relevant entries that caused the crack, learned what the attacker did, found the relevant Perl code bug, closed it, and then restored a backup.<br>
<br>Funny thing, the IP address of the attacker was one from Netvision's static pool. To save future headache (assuming the guy will find more bugs), an iptables (or was it ipchains back then? I don't remember) rule was added to block this IP. Then, after a 'view' command for iptables - it did the natural thing and showed the reverse DNS of that IP. Apparently, Netvision on many occasions set reverse DNS for fixed IPs to the name of the customer. So I knew who was the customer. It had been a competitor of the cracked website.<br>
<br>A copy of all the logs, with an explanation what was done, how it was then, when, from where, THE IDENTITY OF THE ATTACKER, were all compiled to a long complaint which was filed with our Israeli Police.<br><br>A couple of weeks later, the police sent the site owner a letter, telling him that the case is closed, due to "the lack of interest by the public".<br>
<br>This is for something that happened completely in Israel, where they had the suspect handed to them on a plate of silver, and they did nothing.<br><br>This is why I wouldn't hold my breath...<br><br>[*] Exceptions I have seen were PR could be generated. <br>
<br>Such as the Trojan Horse story: <a href="http://www.ynet.co.il/home/0,7340,L-3439,00.html">http://www.ynet.co.il/home/0,7340,L-3439,00.html</a> <br><br>...or when the DoS is directed at the Government or one of its sub-organizations... <br>
<br>Does your friend's case constitute one of the above?<br><br><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
The ISP does need to "suffer" in this case, in that the ISP has allowed an act of war to be committed through his service. I see little difference between this and the cab drivers who transport illegal workers from the Palestinian territories to jobs in Israel. We require the drivers to take some responsibility for whom they transport.<br>
<br></blockquote><div><br>Going to take someone from a forbidden territory is not the same like being a transparent transit for something. They're not willingly doing that! Believe me, if there would be a "block DDoS" command on every route out there, EVERYONE would enable it. But this requires effort. Sometimes a lot of it. Sometimes beyond the capability of the ISP, simply because the vast amounts of traffic crossing their links, due to that customer. Even if you drop the traffic at your border, you still wasted International bandwidth for it, a scarce resource as it is...<br>
<br> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I am suggesting that ISP's be charged with some level responsibility for investigating and reporting these attacks. That's in the national interest. I suspect that in the cases of large institutions, even non-governmental institutions such as banks, that there is in fact some national response, but that this protection is not currently extended to smaller players. If a rocket hit's your home you get some protection at the national level. If a DDOS attack from a hostile government attacks your business, it's not in the national interest to provide some level of protection?<br>
<br><br></blockquote></div><br>Do you know a law that tells them they should do so at a discretion of the customer? If not, there's nothing much you can do. ISPs live on very low margins in the hosting business (for the best of my knowledge...) - what interest do they have to spend their dollars on a customer that just causes them trouble? (Seems most websites don't get DDoSed... there are reasons why people get DDoSed...)<br>
<br>Of course, he can go for a court order (maybe through police). Let's say he has the IPs in China, Arab countries etc etc of the attackers. What's next? How will you stop the DDoS? Mind you, the DDoS comes from infected computers, and you'll NOT find the source anyways. So, the DDoS will continue, if the attacker so wishes. This problem will not be gone before the era that vast majority of computers are secure... and while Microsoft promised us that with Windows 7... you know, that had not quite had an effect, it appears.<br>
<br>-- Shimi<br></div>