×
  • remind me tomorrow
  • remind me next week
  • never remind me
Subscribe to the ANN Newsletter • Wake up every Sunday to a curated list of ANN's most interesting posts of the week. read more

Forum - View topic
NEWS: AT&T Blocking Part of 4chan, Then Restores Access


Goto page Previous  1, 2, 3, 4, 5, 6

 Note: this is the discussion thread for this article
Anime News Network Forum Index -> Site-related -> Talkback
View previous topic :: View next topic  
Author Message
Yoda117



Joined: 11 Sep 2005
Posts: 406
PostPosted: Wed Jul 29, 2009 7:33 am Reply with quote
Calculusman wrote:

I know how the internet works.


Apparently not. This is a textbook IH response for an ISP when dealing with this kind of attack.

Quote:
AT&T is just being lazy by blocking the target of a DDoS attack, to say nothing about it creating an incentive for people to create even more devastating DDoS attacks since they know that ISPs might cut access to the site altogether if they do, doing their work for them.


Not quite. From one of the network engineers:

There has been alot of customers on our network who were complaining about ACK scan reports coming from 207.126.64.181. We had no choice but to block that single IP until the attacks let up.

The originating IP that they were detecting was the 4chan address. Probably a DDoS designed as a prank that could be attributed to 4chan, or someone with more than the average script kiddy mentality who managed to get the server at that address to do the work for them (I doubt this given the response from 4chan). This is a common tactic of more organized "black hats" and have been highly successful in the past (particularly against online gambling sites as part of cyber-extortion schemes, though it's been about a year or so since I last saw this strategy employed since it was a progenitor to organized/coordinated botnet DDoS attacks).

Odds are it was pack or folks (or a semi-intelligent individual who gained access to multiple systems) using a script kiddy tool, with 4chan's IP listed as the source IP address in the header of the IP packet.

Quote:
And the fact that they blocked the friggen site. Doing that for any reason (other than blatant illegal behavior by the site being blocked) is a bad precedent, and even then I'm iffy about it.


If it's blatantly illegal, then it's illegal and that's the end of it (though illegal for folks in what country? Might not be illegal everywhere).

As for the rest, if I've got a high traffic network appliance that's getting a large amount of unusual traffic, I'm going to observe what's going on. If it's a known type of attack and my network appliance or server will be negatively affected by it, then I don't care about restricting access to the originating IP that's listed in the packet. If folks can't get to the site using my network, that's their problem and the smart ones can find another route. What I do care about is letting the admin on the other end (i.e., from either the server that the originating IP represents or the network that IP is assigned to) know what's going on (they often don't realize that this traffic is tied to their IP) and to make sure that my network or server remains available to the majority of my users.

That's what they did. It's page one in the Incident Handling manual, and from the sounds of it, the admin at 4chan knew that the attacks were using the IP for one of the servers there (so he was cool with it as a temporary measure).

No censorship, no great conspiracy.

On the side, there was an incident about three years back where an unnamed anime distributor's systems were compromised and proceeded to be part of a DDoS attack against a pharma company. The admins didn't realize anything was wrong until they got a call from the FBI. Good auditing and incident handling may not contribute directly to the bottom line, but spending the $ on it is better than having your servers confiscated as part of an investigation.

/made for a great story at an Infragard meeting out in LA.
Back to top
View user's profile Send private message Visit poster's website
Yoda117



Joined: 11 Sep 2005
Posts: 406
PostPosted: Wed Jul 29, 2009 7:40 am Reply with quote
Mad_Scientist wrote:

Yah, but I think some people do have a point, which is that if DDoS attacks can cause IPs to start blocking access to a site, it could encourage people to do them even more. Afterall, that means that even if your attack fails to bring the site itself down, you've still blocked access to it.

The potential for this to be more than just a one time event is somewhat unpleasant.


Believe it or not, this is an old strategy (and an effective one). It's part of some DoS and DDoS attacks because the folks doing it know that most places will react by denying ALL access through their network to the offending IP, and not just denying traffic from the originating IP address.

For some folks, ACL rules are too difficult to waste the time on, so it's easier to just deny all, especially if you don't expect to have to enforce it for a long period of time (which is what seems to be the case here).
Back to top
View user's profile Send private message Visit poster's website
FlamingPinecone



Joined: 22 Nov 2005
Posts: 131
PostPosted: Wed Jul 29, 2009 6:01 pm Reply with quote
Calculusman wrote:
Doing that for any reason (other than blatant illegal behavior by the site being blocked) is a bad precedent, and even then I'm iffy about it.


DoS attacks are illegal.

AT&T did bring access back ASAP. now if they had left it blocked THEN i might suspect some censorship reason is involved but sadly 4chan was dicking around with code and got blocked. and AT&T weren't the only ones affected.

YO WHERE IS MY TIN FOIL HAT CONSPIRACY!



fawhooosh!
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Reply to topic    Anime News Network Forum Index -> Site-related -> Talkback All times are GMT - 5 Hours
Goto page Previous  1, 2, 3, 4, 5, 6
Page 6 of 6

 


Powered by phpBB © 2001, 2005 phpBB Group