Claudio Jeker wrote: [..]
So it would be interesting how Swisscom would solve this challenge in the future.
What about the other ISPs? This is a global issue. Actually what about Microsoft and all those other big shot software comapanies distributing crap and providing the hotbeds for the botnets?
[short version of below story: join NSP-SEC, keep your own network clean, cooperate with other ISPs, that is what SWINOG is for ;) ]
Although it is always fun to blame M$, you are forgetting that little fact that a large amount of the working DDoS bots that are actually effective in contributing to large amount of DDoS traffic are hosted in nice fat datacenters with fat pipes and are generally of the nice LAMP pursuasion with Wordpress, PHPBB and various other oh so vulnerable software. Really, blaming M$ is far from correct.
All software is vulnerable in one way or another, be it commercial, be it "open source" (whatever flavor of that might mean). You can make fun so many times of those who have a large installed base, but anything which is installed widely will get enough attention by people that they will find a vulnerability.
The real answer to all of that is simply that when a vulnerability is known that people actually update their software (or otherwise mitigate the problem), and that is a really big problem as there are too many people on the net who don't know about these issues, don't care, or because of some weird policy can't update their software. As such there will always be vulnerable software, and as long as there is profit in finding these hosts, exploiting them and then abusing them, there will be botnets.
There is no real solution here. Microsoft is actually doing their best by forcing Windows Update, and even allowing it for pirated windows editions. That thus partially solves the Windows part, but not fully.
You of course don't need a vulnerability, just get the (stupid) user to execute something "Look, cool movie of X, just click here and start it" or "Please upgrade this and this!!! click here!" and voila, you have owned the box, it does not matter so much which operating system, as long as one provides the correct binary. One generally also does not care about having "root" or Administrator permissions, just being able to act as a normal user, pulling 1 page per 5 seconds of a host, multiply by the 1.000.000 bots you have et voila, DDoS is done.
Only thing ISPs can do is try and mitigate DDoS attacks.
Hosting providers can try to limit the amount of address space that they can be attacked from, as what they did in this case. But of course, smart DDosSers will just attack the infrastructure upstream or in a similar path as that site....
As such, the only thing that can be truely done is at the Access providers, which is where you will have hundreds and actually tens of thousands. Just like BCP38, which a lot of them don't implement yet, this is not easy to resolve as everybody has to do it and a lot won't.
One of the few solutions would be data sharing amongst ISPs and proper abuse notification and handling, but again you are talking about hundreds of thousands of ISPs.
I guess the only true way of solving it would be to have a 'trusted internet', aka one where only 'trusted' ISPs are connected to. Then the moment you get DDoSSed, disable the peerings to the non-trusted ones. You'll then have the trusted ones left, which you hopefully have a working relationship with and with whom you can resolve any DDoS attacking hosts (but that will be difficult if they only request X 'normal looking' requests from you, because you then can't distinguish them from normal clients...)
Of course this 'trusted' does not work for one reason: money. If you cut off the non-trusted ISPs and those are containing a big amount of eye-balls for you, then forget about it. Oh and not to forget this other thing called 'freedom on the Internet'.
This trusted-scheme might work on a country-level though. In a country like Switzerland, or The Netherlands, most of the players in the ISP field pretty much know each-other. This list represents SWINOG, which contains most Swiss ISPs, maybe it is time to setup something so that at least the Swiss ISPs have a proper abuse handling system. That way, when one of the Swiss ISPs get threated for a site they have, the threat can be restricted to hosts in Switzerland: attackers only be able to be inside the country and so can eyeballs (which is what for some media-forms one would need anyway). Of course, the people who count the money won't like this, as the eyeballs might be abroad too and the moment that you are allowing 1 site to be seen globally there is an attack vector for that ISP, and yes the attackers will figure out how to get to you if you have that.. as such we'll need to have it globally at one point for it to become truly effective. NSP-SEC is probably the first step to take for most ISPs, if you are there, then other steps will follow in due time...
Greets, Jeroen