When will the ISPs start getting off their respecitve behinds and start doing something about this? With the broadband ISPs subnets accounting for so much of the destructive power of these DDoS attacks, they have a responsibility to at least attempt to ameliorate their impact.
It's not hard to set up simple routing rules to at least curb some of these attacks. Hell, a lot of ISPs still even route spoofed IP packets out of their networks - this is nowhere near acceptable. Realistically, there is no real application for a constant stream of ICMP traffic coming from a single node - there should at least be a maximum allocatable bandwidth for ICMP set at the ISPs gateway. Obviously UDP and TCP based floods are more difficult to manage, but throttling ICMP based floods would be a step in the right direction.
All this is IMHO, of course - users have a responsibility to secure their machines, obviously, but it's going to be a hell of a lot easier to secure a few gateways and routers than a million home PCs.
When will the ISPs start getting off their respecitve behinds and start doing something about this?
Never, I hope. When nimda was going around, my DSL provider blocked port 80 and never unblocked it - and it's what, a year later now? That's resulted in my being unable to access my home computer from a variety of kiosks, etc., that don't allow selecting alternate ports.
If the ISPs do anything, they should be setting up rules that catch probes from live worms and then disconnect the specific lines from which they originated.
The issue isn't blocking ports, but egress filtering. If you know the source address of the attack, you can get your upstream to drop those packets for you, but if the attacker is spoofing his or her IP address (or having his or her slave machines spoof their IP addresses) then this isn't any use since the originating IP could change every minute.
Implementing proper egress filtering would ensure that ISPs don't route packets that have source-addresses that are obviously spoofed (and hence, probably are), so DoSes would be managable. But they don't bother with correct egress filtering because that would require hardware upgrades to support the added load the routers would have to be carrying, hence they don't.
ISP's fault? (Score:4, Insightful)
When will the ISPs start getting off their respecitve behinds and start doing something about this? With the broadband ISPs subnets accounting for so much of the destructive power of these DDoS attacks, they have a responsibility to at least attempt to ameliorate their impact.
It's not hard to set up simple routing rules to at least curb some of these attacks. Hell, a lot of ISPs still even route spoofed IP packets out of their networks - this is nowhere near acceptable. Realistically, there is no real application for a constant stream of ICMP traffic coming from a single node - there should at least be a maximum allocatable bandwidth for ICMP set at the ISPs gateway. Obviously UDP and TCP based floods are more difficult to manage, but throttling ICMP based floods would be a step in the right direction.
All this is IMHO, of course - users have a responsibility to secure their machines, obviously, but it's going to be a hell of a lot easier to secure a few gateways and routers than a million home PCs.
Re:ISP's fault? (Score:2, Insightful)
http://slashdot.org/comments.pl?sid=51243&thres
And go *(&( yourself.
Re:ISP's fault? (Score:3, Insightful)
Never, I hope. When nimda was going around, my DSL provider blocked port 80 and never unblocked it - and it's what, a year later now? That's resulted in my being unable to access my home computer from a variety of kiosks, etc., that don't allow selecting alternate ports.
If the ISPs do anything, they should be setting up rules that catch probes from live worms and then disconnect the specific lines from which they originated.
Re:ISP's fault? (Score:2)
Implementing proper egress filtering would ensure that ISPs don't route packets that have source-addresses that are obviously spoofed (and hence, probably are), so DoSes would be managable. But they don't bother with correct egress filtering because that would require hardware upgrades to support the added load the routers would have to be carrying, hence they don't.
Re:ISP's fault? (Score:2)
That would help against the attacks that can be pulled off using spoofed source addresses, but I'd guess that's a minority.
In any case, why would someone conducting a DDOS care if the source addresses were spoofed? It's not their address being used, it's their patsies'.
Re:ISP's fault? (Score:1)
The problem is that this is not very effective for large carriers with huge lists of crossconnects to others because of dynamic routing.
It is much easier (and is done) at the level of NASes and gateways to customers.