On Mon, 8 Jul 1996, Daniel W. McRobb wrote:
The problem is not really a technical one. It's administrative. It's much more of a headache to backtrack through 30 routers that aren't in your own network than to backtrack to the ingress to your own network domain and filter it out there (which is the typical response to this kind of thing). Getting everyone in the path to cooperate with backtracking is difficult in many instances, impossible in others.
I recall that people have cooperated in the past on some sort of performance analysis tool that transported packets through a tunnel to some remote point and initiated an analysis of some sort from that point I believe this was done by NLANR and had something to do with vBNS.
I don't think this is all that different. If some means existed for an NSP to initiate a trace on a specific source address to backtrack it to the real source then an easy to use tool could be built. Of course, first of all router vendors need to make a quick and relatively painless way to track down the interface that a packet comes in from, maybe
There will likely never be a means for a single NSP to track down the real source of spoofed packets using IPv4. Service providers won't be letting other service providers track spoofed packets through their network.
set icmp-source-trace 148.32.45.67 on
and later....
show icmp-source-trace
IP address Interface ---------- --------- 148.32.45.67 NO TRACE
Note that the source trace was active for a period of time and then expired automatically with no new ICMP packets bearing the specified source address in that period of time. If this facility is available an easy to use tool could be built.
In the case of a spoofed-source, denial of service attack, the source address is often of less use than the destination address/port/protocol in tracking down the real source. The attacker just switches the source address and walks right through your trace (or filters). Don't get me wrong; I think packet sniffing capabilities (even in their simplest forms) can be very useful and I wish there were more facilities in typical routers for tracking traffic via IP header information.
that doesn't even take into account the cases where an attacker has multiple paths into your network and is using multiple forged source addresses, much less the fact that the attacker can turn off the attack when he/she chooses, thwarting your effort to track them.
No doubt about it. Being a detective is hard boring plodding work and sometimes you just never find the crook. But it's still worth trying.
Define worth. I live in a capitalist society where catching a criminal is of little worth (particularly an ICMP bomber who's arguably not much worse than a USENET spammer) in it's own right and often only worthwhile if there's monetary compensation involved (either from a legal settlement, reward or just recovery of service and time spent fixing things that are broken by an attacker). :-) Daniel ~~~~~~