On Sat, Dec 27, 1997 at 11:10:55PM -0500, Ken Leland wrote:
Karl wrote:
However, if a forged-source data stream IS traced to one of your customers, expect a harsh response from the general network community. This attack is well-enough known by now that I consider anyone unable to immediately and permanently deal with such an incident to be somewhere beneath contempt.
Well, it is going to take more education and pain, apparently. I've got 3 national backbones upstream and they all have a hell of a time just getting icmp-echo-reply filters in within hours of attack onset, and usually get nowhere with tracing this to an end perp. Granted, its a difficult, cooperative problem.
One of the better respected of them, told me that their philosophy was to deliver all packets to me regardless of the source/type. This corker, is the type of logic one can apparently come up with when ones routers at Pensaulken are near fall-over. This upstream did install the filter, after escalation, fortunately.
You don't want to filter ICMPs. What you want to filter is ANYTHING which came from an invalid source address *at your entrance* from your customer connections. Now, for backbone<>backbone connections, this is impossible - granted. But for end-user<>backbone connections, it is not only not impossible, it is virtually a REQUIREMENT.
a problem where backbones have to choose between expensive filtering of ICMP-echo-replies for very long periods of time or allowing customer connections to be randomly swamped (rendered useless) for hours by bored 13 year olds, from virtually anywhere on the net. The latter is of, essentially, zero economic value to us, at least.
Well, yes.
The current cost of per link filtering is apparently causing the backbone networks major grief.
That's because people are doing it on the packet TYPE. If you filter on the source *address*, at the ingres point to your network, it causes much less pain.
This problem, is disrupting the service of every isp in our region on a frequent basis and it is getting worse week by week.
Yes.
A, sometimes seen, tendency to suggest that only a few ISP's with problem attracting users are affected by this does not recognize the breath or depth of the problem, nor where it is heading.
Ken Leland Monmouth Internet
Correct. The fix is to deny inbound traffic from any connection which has an invalid source address. You *KNOW* what the valid addresses are if you connect someone - if I give someone 205.164.6.0/24, then anything with a source address outside of that /24 is INVALID by definition and I should refuse to accept it. This is NOT difficult to do, nor is it expensive. Until it becomes a standard part of end-user connections this problem is going to remain extremely difficult to trace. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly to FULL DS-3 Service | NEW! K56Flex support on ALL modems Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost