On Sat, Jun 20, 1998 at 02:02:32AM -0700, Hal Murray wrote:
This is why the government needs to get involved and *demand* that the ability exist via a *protocol* for people in a NOC to initiate and follow these traces automatically, without human intervention by the NOCs in the chain.
Would you and other operators be willing to modify peering agreements to include serious fines for running a smurf amplifier or allowing packets with bogus source addresses to enter the system?
It won't happen (try to get that written into one - hah!)
Tracking back bogus source addresses seems hard. Would fines on smurf amplifiers be good enough to fix the smurf problem? Or do we need to catch a smurfer to use as an example?
Preventing bogus source addresses isn't hard. Its not done because people are lazy and don't care about their neighbors - this is a "not in my back yard" problem.
Currently, NOCs don't have much financial interest in tracking down a smurfer.
Actually, some NOCs have a financial incentive to BE amplifiers (consider someone connected on a bit-rate-sensitive billing plan)
Karl's stories of non-cooperation make sense if the NOC is looking at their (short term) bottom line rather than the good of the net.
Yep. Surprise.
Is there a way we can change that?
Bring charges?
I can't quite come up with the right thing to suggest. Everything I think of has too many possibilities for gaming.
I'm fishing for something like each ISP/NSP that works on tracking down a smurfer gets to charge the ISP/NSP closer to the source for the time and costs it spends on the problem, including the costs that get passed to it.
How much effort is involved in tracking a smurfer through each router?
Not a lot, but non-zero. The problem is that you have to catch it while the attack is in process. The REAL solution to this problem is for people to prevent address spoofing on their leaf connections. That is, for leaf connections, if you do not have a route back to the source from which you came, you drop the packet - period. If the LEAF nodes all did this, then the problem would already be gone.
Any router vendors willing to estimate how much it would cost to implement something like Karl's proposed command?
"trace-smurf <forged-victim-address> <amplifier-address>" <return>
Do smurf attacks always happen late at night and on weekends?
No. We just got hit for a few minutes at 9:15 this morning.
Would major NSPs be willing to setup a smurf hotline so trusted smart people, like Karl, could bypass the first several layers of screening and get the data to the right person fast?
That would be a good start. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost