Multi ISP DDOS

At 11:15 AM 5/3/2006, John Levine wrote:
> >Uh. Who let the Frog out?
> >
> >http:
//www.wired.com/news/technology/internet/0,70798-0.html?
tw=rss 
> .technology
>
>It's all explained here:
>
>http://weblog
.johnlevine.com/2006/05/03


And this just hit wires with quotes from Renesys and SANS
ISC.

http://www.infoworld.com/article/06/05/
04/78074_HNbluesecurityddos_1.html


-M<






--
Martin Hannigan                                (c)
617-388-2663
Renesys Corporation                            (w)
617-395-8574
Member of Technical Staff                      Network
Operations
                                                hanniganrenesys.com  

On Thu, 4 May 2006, Martin Hannigan wrote:

> At 11:15 AM 5/3/2006, John Levine wrote:
>> >Uh. Who let the Frog out?
>> >
>> >http:
//www.wired.com/news/technology/internet/0,70798-0.html?
tw=rss 
>> .technology
>> 
>> It's all explained here:
>> 
>> http://weblog
.johnlevine.com/2006/05/03
>
> And this just hit wires with quotes from Renesys and
SANS ISC.
>
> http://www.infoworld.com/article/06/05/
04/78074_HNbluesecurityddos_1.html

I hate to be the bearer of bad news to spammers  but based
on
bluesecurity's tactics I can make a guess about attitude of
their
people and its such that DoS attack on them will only cause
them
more determination to continue and I suspect to majority of
their 
users as well (and publicity is also likely to bring them
more users).

Moving the site to TypePad was incorrect way of dealing with
attack
though; but its actually not the first time I've heard of
the site
using a blog as temporary page while their primary site is
down due
to DoS... - some education on what blogs are good for is in
order.
But as it is looks like bluesecurity is moving to prolexic
which
claim to deal with just such situations.

-- 
William Leibzon
Elan Networks
williamelan.net

At 07:16 PM 5/4/2006, william(at)elan.net wrote:


>On Thu, 4 May 2006, Martin Hannigan wrote:
>
>>At 11:15 AM 5/3/2006, John Levine wrote:
>>> >Uh. Who let the Frog out?
>>> >
>>> >http:
//www.wired.com/news/technology/internet/0,70798-0.html?
tw=r 
>>> ss .technology
>>>It's all explained here:
>>>http://weblog
.johnlevine.com/2006/05/03
>>
>>And this just hit wires with quotes from Renesys and
SANS ISC.
>>
>>http://www.infoworld.com/article/06/05/
04/78074_HNbluesecurityddos_1.html
>
>I hate to be the bearer of bad news to spammers  but based
on
>bluesecurity's tactics I can make a guess about
attitude of their
>people and its such that DoS attack on them will only
cause them
>more determination to continue and I suspect to majority
of their 
>users as well (and publicity is also likely to bring
them more users).
>
>Moving the site to TypePad was incorrect way of dealing
with attack
>though; but its actually not the first time I've heard
of the site
>using a blog as temporary page while their primary site
is down due
>to DoS... - some education on what blogs are good for is
in order.
>But as it is looks like bluesecurity is moving to
prolexic which
>claim to deal with just such situations.


I hate to be the bearer of bad news to BS' VC's, but BS
moving their
DNS to UltraDNS and hosting to Prolexic was likely not part
of the business
plan. "They ain't cheap". The spammers can now
theoretically force them
to spend all time and all their money responding to attacks.

The killer here is that they asked a lot of people a year
ago whether this
was a good idea and everyone said no. Read John Levine's
blog and pointer to a
few of his previous articles. He wasn't the only person
they asked. There's a
WHOLE lot more to this than is public.

Spammers: 2 Blue Security: 0
NANOG: -2 (vigilante time sink)


-M<








--
Martin Hannigan                                (c)
617-388-2663
Renesys Corporation                            (w)
617-395-8574
Member of Technical Staff                      Network
Operations
                                                hanniganrenesys.com  

On Thu, May 04, 2006 at 08:21:04PM -0400, Martin Hannigan
wrote:
> The killer here is that they asked a lot of people a
year ago whether this
> was a good idea and everyone said no.

Agreed.

It's just the latest in the series of fiascos that we've
seen when
people try to respond to abuse with abuse.  It doesn't
work, it's
not going to work, and the most likely outcome of any
attempt to
make it work will be yet another illustration of the law of
unintended consequences.  (e.g. Lycos'
"MakeLoveNotSPam")

Not to mention that furnishing useful intelligence to the
enemy
(which BS does by design) is a poor strategy.

---Rsk

On Thu, 4 May 2006, Martin Hannigan wrote:

>> I hate to be the bearer of bad news to spammers
 but
based on
>> bluesecurity's tactics I can make a guess about
attitude of their
>> people and its such that DoS attack on them will
only cause them
>> more determination to continue and I suspect to
majority of their users as 
>> well (and publicity is also likely to bring them
more users).
>> 
>> Moving the site to TypePad was incorrect way of
dealing with attack
>> though; but its actually not the first time I've
heard of the site
>> using a blog as temporary page while their primary
site is down due
>> to DoS... - some education on what blogs are good
for is in order.
>> But as it is looks like bluesecurity is moving to
prolexic which
>> claim to deal with just such situations.
>
> I hate to be the bearer of bad news to BS' VC's, but
BS moving their
> DNS to UltraDNS and hosting to Prolexic was likely not
part of the business
> plan. "They ain't cheap". The spammers can
now theoretically force them
> to spend all time and all their money responding to
attacks.

You know quite well that if they continue dos for too long
law-enforcement
would finally get interested... Now I really don't know
UDNS and Prolexic
prices but I have a feeling those hosting fees would be far
from being
their biggest expense. So I have to disagree with you that
is what could
bring them down, though I agree that as usual a lot depends
on if their
VCs want all this going - I just don't think hosting fees
will be major
reason for such a decision (unless BS self-funded which I
doubt).

> The killer here is that they asked a lot of people a
year ago whether 
> this  was a good idea and everyone said no.

Yep and they were all right.

> Spammers: 2 Blue Security: 0
> NANOG: -2 (vigilante time sink)

Its more like:
Spammers: -2  Blue Security: -1  Nanog: 0 (talk is cheap but
results are...)

-- 
William Leibzon
Elan Networks
williamelan.net