[ale] flooding problem - a admin perspective

[Russell Enderby]

Actually I have delt with the FBI in the past.  Normally they totally rely 
on the expertise of the ISP's to gather the information necessary to do 
anything.  If enough information is gathered they will grab the guy but I 
do not believe they have internal technical knowledge to help in tracking 
down the problem.

You did mention that it should be easy to track down the source IP. 
 Perhaps I have missed something but how do you track spoofed packets back 
to the source without having to contact all the providers along the path of 
the attack WHILE the attack is going (which is NOT easy when it goes out of 
the country).  Perhaps I have missed some easy tracing tool you know of.

Russell

-----Original Message-----
 From:	Jeff Walters [SMTP:jsw1 at bellsouth.net]
Sent:	Tuesday, December 21, 1999 11:20 PM
To:	ale at ale.org
Subject:	RE: [ale] flooding problem - a admin perspective

Maybe this seems like a naive viewpoint, but could you not get the FBI
involved?  After all, 3 T1's worth of bandwith in ICMP packets from one
source for a week would seem to be traceable, even with spoofing and 
routing
tricks to hide the source address.

Once an employee at my company was escorted by the FBI (not local police) 
from
work to federal prison for sneaking a company laptop out (with proprietary
information on it) and selling it at a pawn shop.  Seems they would also be
interested in this, and could fairly easily track down the source ISP for 
these
packets.

On Tue, 21 Dec 1999, you wrote:
> -----Original Message-----
> From:	jj at spiderentertainment.com [SMTP:jj at spiderentertainment.com]
> Sent:	Tuesday, December 21, 1999 10:19 AM
> To:	Russell Enderby
> Cc:	'ale at ale.org'; 'firewall-wizards at nfr.net'
> Subject:	Re: [ale] flooding problem - a admin perspective
>
>
> 1) How are they flooding you ? are they flooding all the IPs you got ? or 
> just one
> ?
> If they flood just one ip, you can call your upstream provider and tell 
em
> to
> block that IP out of their routers (If they say they can't do it, let me
> know I'll
> call em and they will do it).
>
> Just one IP.  But we dont want to block the IP then real users cannot use 
> the box.  Even if it was temporary we have bandwidth sensitive folks who
> cant stand to be down 10 mins.
>
> 2) Wait and see, they will eventually stop.
>
> However this may not solve your problem, to solve it, would be best if 
you
> went on
> IRC and actually talked with the person he/she has pissed.
>
> Or you can deface their webpage as it is a group of some sort that is 
doing
> this.
> But this can get messy down the road, tried it once, trust me.
>
> I think option 1 would be your bet.
>
> This is no good.  They were running for like a week straight using more
> than three T1's of bandwidth to hammer on us with.  It was not a pretty
> site.
>
> Thanks for your input.
> Russell
>
>
> Russell Enderby wrote:
>
> > Background:  You are an admin for an ISP who still runs shell services
> (ie-
> > eggdrops, etc).  One of the eggrdrops peves off somone on the IRC 
network
> > and decides to take serious revenge on that user's eggdrop by ping
> flooding
> > the box.
> >
> > The ping flood they decide is problematic, they run mutiple attacks 
from
> > multiple providers through china so backtracing is very difficult if 
not
> > impossible with the source ip being spoofed.
> >
> > You are running firewalls rules with ipfwadm to block icmp messages but 
> it
> > takes down your upstream providers pipe to you since they have there
> > bandwidth at 80% capacity.
> >
> > What would you do?  Try to bandwidth limit flood attacks somehow 
without
> > hindering other communications somewhere upstream?  Upstream providers
> WILL
> > NOT put ICMP filters inplace for you so bandwidth is still consumed if
> you
> > have firewalls in place.
> >
> > Just dont deal with the hassle and tell your shell customers to take a
> hike
> > while just leaving the problem out there a real threat to anyones 
network
> > if they 'irritate' any joe blow on the internet?
> >
> > This problem is a problem that is difficult to solve and anyones input 
on
> > this would be greatly appreciated.
> >
> > Sincerely,
> > Russell Enderby
> >
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in 
message
> body.
>
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message 
body.
--
Message of the Message:
You can't hold a man down without staying down with him.
		-- Booker T. Washington
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message 
body.

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.