ISP-specific Issues

• Networks with close proximity to high-volume backbones and large population of vulnerable hosts make good agent sites
• Networks with extremely weak/thin system administration (e.g., K12s, small ISPs, small businesses & non-profits, home users) make good handler or session/communication relay sites
• Attackers using high-volume and inadequately monitored servers (e.g., DNS or web) as handlers to hide activity
• Coordination and cooperation between networks is ESSENTIAL for diagnosis, tracing, and control of distributed attacks
• AUPs need to be adequately defined and enforced ("no charge" ISPs will likely be a growing problem as attackers hide there)
• May incur liability for resulting economic damage
• Response depends on role in DoS attack (see also the ISP section of the Results of the Distributed-Systems Intruder Tools Workshop)
  • Attacking Source/Handler Networks
    • Do RFC 2267 filtering (e.g., filter outgoing spoofed source addresses and directed broadcast packets)
    • Be prepared to identify attacking agents and stop packet flows
    • Be prepared to trace packets to/from handlers to identify attackers and agents
  • Intermediary (Transit) Networks
    • Be prepared to trace flows from egress back to ingress points
    • Identify source and target networks and coordinate with them in response and forensics
  • Victim (Aggregation Point) Networks
    • Be prepared for 100% bandwidth consumption (i.e., have alternate voice/data communication paths established)
    • Be prepared for heavy media attention ("XYZ.net attacked: 80% of Regional Web Surfers High and Dry")
    • Sites hosting IRC servers, or provocative IRC users, are prime targets

[End] | [Prev]