On Mon, 8 Jul 1996, George Eddy wrote:
yes, forging a ping attack is pretty easy and can be done from anywhere with any source address (of course, who knows where the responses will end up), the routing proximity is irrelavant, since the source is not looked at (unless filters have been put in place, such as what the upstream provider has apparently done).
the only _I can think of_ in tracking it down, would be to backtrack the possible paths into the router. either by sniffing the possible lines coming into router, or by temporarily disabling icmp echo reqs. from all but one incoming line, until you've found the offending line, continuing back.
of course this may be impossible in many cases since you probably don't have access to the equipment (or cooperation) outside of your domain.
OK. So what if somebody is currently planning a ping battle on the global Internet, kind of like corewars in the netwrk. Then what? Do the NSP's all roll over and play dead?
If I were to crosspost this reply to alt.2600 it wouldn't take long to happen you know. BTW, I won't be crossposting it there, but you get the idea, security by obscurity, etc...
I'm quite certain that tons of people know about these kinds of attacks and how to implement them (as well as defend against them). alt.2600 can't possibly be so far behind the times as to not know about forging headers and the possibilities, regardless of whether or not it's ICMP traffic we're talking about. Denial of service attacks are very old in theory and in practice. This is not a security by obscurity issue at all.
Is anyone working on tools to help NSP's quickly backtrack this kind of thing?
The problem is not really a technical one. It's administrative. It's much more of a headache to backtrack through 30 routers that aren't in your own network than to backtrack to the ingress to your own network domain and filter it out there (which is the typical response to this kind of thing). Getting everyone in the path to cooperate with backtracking is difficult in many instances, impossible in others. And that doesn't even take into account the cases where an attacker has multiple paths into your network and is using multiple forged source addresses, much less the fact that the attacker can turn off the attack when he/she chooses, thwarting your effort to track them. Typically a denial of service attack is used to leverage an attack on something more interesting than just pure denial of service. So the denial of service often stops once the attacker has managed to get access to what he/she was really looking for (which is not usually something as uninteresting as ICMP echo requests or attempts to consume a lot of resources with such traffic; there are often better means of making someone's leased line and host machines be consumed than sending ICMP messages). Daniel ~~~~~~
On Mon, 8 Jul 1996, Daniel W. McRobb wrote:
The problem is not really a technical one. It's administrative. It's much more of a headache to backtrack through 30 routers that aren't in your own network than to backtrack to the ingress to your own network domain and filter it out there (which is the typical response to this kind of thing). Getting everyone in the path to cooperate with backtracking is difficult in many instances, impossible in others.
I recall that people have cooperated in the past on some sort of performance analysis tool that transported packets through a tunnel to some remote point and initiated an analysis of some sort from that point I believe this was done by NLANR and had something to do with vBNS. I don't think this is all that different. If some means existed for an NSP to initiate a trace on a specific source address to backtrack it to the real source then an easy to use tool could be built. Of course, first of all router vendors need to make a quick and relatively painless way to track down the interface that a packet comes in from, maybe set icmp-source-trace 148.32.45.67 on and later.... show icmp-source-trace IP address Interface ---------- --------- 148.32.45.67 NO TRACE Note that the source trace was active for a period of time and then expired automatically with no new ICMP packets bearing the specified source address in that period of time. If this facility is available an easy to use tool could be built.
that doesn't even take into account the cases where an attacker has multiple paths into your network and is using multiple forged source addresses, much less the fact that the attacker can turn off the attack when he/she chooses, thwarting your effort to track them.
No doubt about it. Being a detective is hard boring plodding work and sometimes you just never find the crook. But it's still worth trying. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com
participants (2)
-
Daniel W. McRobb
-
Michael Dillon