[ale] flooding problem - a admin perspective

Wed Dec 22 08:50:24 EST 1999

Having personal experience with the FBI in recent weeks, I can tell you:

They will do little more than file your report unless (a) confidential
information was stolen, modified or deleted or (b) a denial of service was
so great, the ISP or company involved lost business.

If you've answered "Yes", to (a) or (b) call. Otherwise, you may try other
legal channels.

> -----Original Message-----
> From: owner-ale at ale.org [mailto:owner-ale at ale.org]On Behalf Of Jeff
> Walters
> Sent: Tuesday, December 21, 1999 11:20 PM
> To: ale at ale.org
> Subject: RE: [ale] flooding problem - a admin perspective
>
>
> Maybe this seems like a naive viewpoint, but could you not get the FBI
> involved?  After all, 3 T1's worth of bandwith in ICMP packets from one
> source for a week would seem to be traceable, even with spoofing
> and routing
> tricks to hide the source address.
>
> Once an employee at my company was escorted by the FBI (not local
> police) from
> work to federal prison for sneaking a company laptop out (with proprietary
> information on it) and selling it at a pawn shop.  Seems they
> would also be
> interested in this, and could fairly easily track down the source
> ISP for these
> packets.
>
> On Tue, 21 Dec 1999, you wrote:
> > -----Original Message-----
> > From:	jj at spiderentertainment.com [SMTP:jj at spiderentertainment.com]
> > Sent:	Tuesday, December 21, 1999 10:19 AM
> > To:	Russell Enderby
> > Cc:	'ale at ale.org'; 'firewall-wizards at nfr.net'
> > Subject:	Re: [ale] flooding problem - a admin perspective
> >
> >
> > 1) How are they flooding you ? are they flooding all the IPs
> you got ? or
> > just one
> > ?
> > If they flood just one ip, you can call your upstream provider
> and tell em
> > to
> > block that IP out of their routers (If they say they can't do
> it, let me
> > know I'll
> > call em and they will do it).
> >
> > Just one IP.  But we dont want to block the IP then real users
> cannot use
> > the box.  Even if it was temporary we have bandwidth sensitive
> folks who
> > cant stand to be down 10 mins.
> >
> > 2) Wait and see, they will eventually stop.
> >
> > However this may not solve your problem, to solve it, would be
> best if you
> > went on
> > IRC and actually talked with the person he/she has pissed.
> >
> > Or you can deface their webpage as it is a group of some sort
> that is doing
> > this.
> > But this can get messy down the road, tried it once, trust me.
> >
> > I think option 1 would be your bet.
> >
> > This is no good.  They were running for like a week straight using more
> > than three T1's of bandwidth to hammer on us with.  It was not a pretty
> > site.
> >
> > Thanks for your input.
> > Russell
> >
> >
> > Russell Enderby wrote:
> >
> > > Background:  You are an admin for an ISP who still runs shell
> services
> > (ie-
> > > eggdrops, etc).  One of the eggrdrops peves off somone on the
> IRC network
> > > and decides to take serious revenge on that user's eggdrop by ping
> > flooding
> > > the box.
> > >
> > > The ping flood they decide is problematic, they run mutiple
> attacks from
> > > multiple providers through china so backtracing is very
> difficult if not
> > > impossible with the source ip being spoofed.
> > >
> > > You are running firewalls rules with ipfwadm to block icmp
> messages but
> > it
> > > takes down your upstream providers pipe to you since they have there
> > > bandwidth at 80% capacity.
> > >
> > > What would you do?  Try to bandwidth limit flood attacks
> somehow without
> > > hindering other communications somewhere upstream?  Upstream
> providers
> > WILL
> > > NOT put ICMP filters inplace for you so bandwidth is still
> consumed if
> > you
> > > have firewalls in place.
> > >
> > > Just dont deal with the hassle and tell your shell customers
> to take a
> > hike
> > > while just leaving the problem out there a real threat to
> anyones network
> > > if they 'irritate' any joe blow on the internet?
> > >
> > > This problem is a problem that is difficult to solve and
> anyones input on
> > > this would be greatly appreciated.
> > >
> > > Sincerely,
> > > Russell Enderby
> > >
> > > --
> > > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale"
> in message
> > body.
> >
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale"
> in message body.
> --
> Message of the Message:
> You can't hold a man down without staying down with him.
> 		-- Booker T. Washington
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in
> message body.

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.