nanog mailing list archives
Re: DDOS solution recommendation
From: Joel Maslak <jmaslak () antelope net>
Date: Sun, 11 Jan 2015 11:09:20 -0700
On Sun, Jan 11, 2015 at 6:46 AM, Mike Hammett <nanog () ics-il net> wrote:
You hit my honeypot IPs, blackholed for 30 days. You do a DNS request to my non-DNS servers, blackholed for 30 days. Same goes for NTP, mail, web, etc. You have more than say 5 bad login attempts to my mail server in 5 minutes, blackholed for 30 days. You're trying to access various web pages known for home router or Wordpress exploitation, blackholed for 30 days.
I urge caution in building automatic systems to respond to network abuse, lest you have unanticipated consequences. How are you tracing the source for DNS UDP, NTP UDP, etc, requests? Or TCP SYNs? If you say source address in the packet, you might not be doing what you think you're doing. Or for that matter HTTP accesses. Without giving too much discussion, let me point out: 1) You can forge a victim's IP and send packets to a honeypot (or indeed the entire IPv4 internet if you want). You may not want to assume "I see a packet with this claimed source being sent to X, so it must be a bad guy and I should block it." 2) Web crawlers will follow links from Bad Guy's Site to your website, even if these links might match an IDS signature on your end. You may not want to block some search engine crawlers. 3) Legitimate recursive DNS servers can be made to connect to any IP address a bad guy wants them to connect to. You may not want to block some ISP's recursive DNS servers. There are good things to do automatically, but make sure you think them through. I used to do click fraud detection 15 years ago - when that was still a new field and we all were inventing our own ways of doing it. I was amazed at the number of ways a bad guy could do an HTTP request from millions of source IPs (hint: they weren't spoofed). I suspect it hasn't gotten better. The internet isn't able to be broken because the people building and running it are idiots. It's able to be broken because breaking things has always been far easier than building them. It takes much more intelligence, skill, and expertise to build a glass window than to throw a brick through one.
Current thread:
- Re: DDOS solution recommendation, (continued)
- Re: DDOS solution recommendation William F. Maton Sotomayor (Jan 12)
- Re: DDOS solution recommendation Scott Fisher (Jan 12)
- Re: DDOS solution recommendation Roland Dobbins (Jan 12)
- Re: DDOS solution recommendation Brandon Ross (Jan 13)
- Re: DDOS solution recommendation Valdis . Kletnieks (Jan 12)
- Re: DDOS solution recommendation Colin Johnston (Jan 12)
- Re: DDOS solution recommendation Patrick W. Gilmore (Jan 11)
- Re: DDOS solution recommendation Roland Dobbins (Jan 12)
- Re: DDOS solution recommendation Owen DeLong (Jan 12)
- Re: DDOS solution recommendation Roland Dobbins (Jan 11)
- Re: DDOS solution recommendation Joel Maslak (Jan 11)
- RE: DDOS solution recommendation David Hofstee (Jan 12)
- Re: DDOS solution recommendation Colin Johnston (Jan 12)
- Re: DDOS solution recommendation Roland Dobbins (Jan 11)
- Re: DDOS solution recommendation Ammar Zuberi (Jan 11)
- Re: DDOS solution recommendation Dave Bell (Jan 11)
- Re: DDOS solution recommendation Paul S. (Jan 11)