On Tue, Jun 16, 1998 at 12:58:12PM -0700, Curt Howland wrote:
Karl,
*You* may wish to make your life more convenient by bringing government force into your relationship with other network providers, why by what divine right do you get to impose your convenience on others by force?
Uh, I am imposing that same force on myself, if the "bad guys" are on my network and someone needs help from us. What I'm doing is asking for the government to start holding people accountable for attractive nuisances, including vendors of equipment who do nothing about tracability of this kind of attack.
Just go ahead and filter the offenders. When their customers cannot reach your services, or their server customers get contacted by your customers about the policies of their ISP, either they will change their policies or they will loose customers.
It is MUCH more effective to guide business policies by the lure of money than by the gun. Each and every network service I have worked for has, once the benefits of cooperation were pointed out to them, changed their tune.
Look: 1. There is zero excuse for people allowing non-verified traffic in from dial ports. Zero. Its a trivial filter to implement on any RAS box on the market today, including some VERY old ones. If you filter only to the level of what COULD be legal (ie: the pool addresses on the device) that's good enough - it stops the spoofed denial of service attacks. Further, there is no bandwidth or CPU consumptiojn argument on these connections which can be made. This is pure LAZYNESS and nothing more - period. This also applies to the cable modem people, the ADSL people, etc. The only thing in the way of doing this on dedicated lines is reasonable automation (since people on dedicated lines might have their own address space, etc). MOST large ISPs do NO verification on inbound dial packet streams. 2. There is even less than zero excuse for a "fuck you" response from a NOC when you call them with a denial of service issue. Yet this is what we, all too often, get, along with a refusal to transfer to a manager and in some cases, a refusal to give the employee's NAME! The first thing these guys want is a customer ID; don't have one, go straight to hell. This happens ALL the time. In fact, it happens so often that its basically a waste of time to attempt to try to trace an active Smurf today, because the big guys WILL stonewall you. 3. Many of these providers sell "burstable" circuits. They CHARGE MORE to customers when they are abused as smurf amplifiers. Thus, there is a hell of an incentive NOT to do anything about the problem, as bits are bits when it comes to this issue. Now if you bitch they'll remove the charge I'm sure, but how many people won't catch it, especially on DS1s and frac T3s? 4. CISCO and other vendors have NOT stepped up to the plate with an EASY protocol-based way to trace these things. The bottom line is that the users haven't demanded it because its a "not in my back yard" type of problem, and the people who's back yard it IS in (and who are spending the most money with CISCO and friends) are not motivated to fix it. 5. It is the smaller provider and customer who gets hurt by this. We can survive 99% of all smurf attempts without damage. Our T1 downstream customers? They're screwed. A T1-connected ISP? They're screwed as well. We don't get flooded off the network when it happens, which is why a "bounce at the border" strategy works for us. IT DOES NOT WORK FOR OUR CUSTOMERS, AS ONCE IT GETS TO THEM THE LINE IS CONSUMED AND TOSSING THE TRAFFIC IS POINTLESS! 6. Since you need significant bandwidth to BE a good smurf amplifier, guess who makes the "best" ones? Big ISP's internal infrastructure points, and fat-pipe (ie: DS3+) connected organizations. The DS1 connected guy is a poor smurf source, since you need a lot of them in concert to hurt significant ISPs badly these days. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost