That is bad news. Having been in this situation more than a few times, I
can give some general advice on how to handle ddos'.
Calling law enforcement is all well and good, but it will do absolutely
nothing to help stop the problem. The best place to start is with your ISP.
If you use a tier 2 or 3 bandwidth provider, it will most likely need to be
escalated up to the tier 1 provider at some point. The ISP can do a few
things - block traffic from a certain address range or to a certain range of
ports from coming down your circuit and trace traffic flows to their ingress
points at the ISP's network. Generally, you can get this kind of response
by calling the normal help line, telling them you are under attack and need
to work with their security group.
If the ISP is able to track down the ingress point and the ISP of the
origination of the traffic cooperates as well, you may be able to find the
source(s) of the traffic and have an legal avenue at that point. It would
be best to talk to an attourney about what information they would want to
have in order to proceed.
There's really no easy way to stop a ddos. My personal take on this
situation is that by tying an rbl to a domain, say relays.osirusoft.com,
that domain is setting itself up for an attack. I would think a more
cooperative, non domain dependant rbl would be more resistant to these
attacks. Some rbl's already distribute zone files via rsync - I think
taking a step further would be good. Remove references to the domain from
the zone file as well as SOA and whatnot, transfer the deltas to that file
normally, and have that file included in a skeleton zone file on end user
name servers. The downside to this is that there is no name recognition for
the origin of the rbl.
At that point, distribution of the zone files via rsync could be very
distributed. Zone files could even potentially be merged from multiple
different rbl's into one zone.
Anyhow, that's my crazy thought for the day.
Jerry
----- Original Message -----
From: "Michael Coxe" <michael@???>
To: <exim-users@???>
Sent: Tuesday, September 23, 2003 8:40 PM
Subject: [Exim] fwd fr NANOG: monkeys.dom UPL being DDOSed to death
FYI, I've seen them listed on dnslists posted here.
- michael
[Mimedefang] monkeys.dom UPL being DDOSed to death
Jon R. Kibler mimedefang@???
Tue Sep 23 14:15:01 2003
Greetings to all:
I have some really sad news. I just got off the telephone with Ron
Guilmette who runs the monkeys.com Unsecured Proxies List DNSBL. I hate to
say it, but monkeys.com has been killed. It has been DDOSed to death.
Ron says that every aspect of his network is undergoing a massive DDOS
attack from thousands of IPs -- apparently many/all spoofed. He has tried
to get law enforcement to investigate, but to no avail. He indicated that
this is probably the end of his service.
This makes two DNSBLs that have been DDOSed to death recently. Which one
is next? NJABL? ORDB?
The computer security industry really needs to figure out how to get law
enforcement to take these attacks seriously. It would only take a few good
prosecutions to put an end to these types of attacks. Any
thoughts/suggestions?
This is really a dark day for those of us fighting spam. I looks like the
spammers have won a BIG battle. The only question now is who will be the
causality in this war?
Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC USA
--
## List details at
http://www.exim.org/mailman/listinfo/exim-users Exim
details at
http://www.exim.org/ ##
