In message <0aa101c40707$eebc2650$dbc21e43@Somi>, "Joshua Brady" writes:
http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm
Comments?
The phrase "seriously bad idea" comes to mind. Other phrases include "illegal", "collateral damage", and "stupid". --Steve Bellovin, http://www.research.att.com/~smb
I actually thought that this was some kind of April Fools day joke a few weeks early. Anyone who buys this should be shot on principle....Wait...First I have a bridge to sell them. At 05:55 PM 3/10/2004, Steven M. Bellovin wrote:
In message <0aa101c40707$eebc2650$dbc21e43@Somi>, "Joshua Brady" writes:
http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm
Comments?
The phrase "seriously bad idea" comes to mind. Other phrases include "illegal", "collateral damage", and "stupid".
--Steve Bellovin, http://www.research.att.com/~smb
-tdawson -tdawson@sprintlabs.com
On Wed, 10 Mar 2004, Steven M. Bellovin wrote:
In message <0aa101c40707$eebc2650$dbc21e43@Somi>, "Joshua Brady" writes:
http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm
Comments?
The phrase "seriously bad idea" comes to mind. Other phrases include "illegal", "collateral damage", and "stupid".
Any publicity is good publicity. They haven't actually explained or shown what their product does. Just a bunch of puffery to get the press to write about them. In the 1990's another company announced their new security product: "Sidewinder: The firewall that strikes back!" at the National Computer Security Conference in Baltimore. Sidewinder used lots of information warfare quotes from Winn Schwartau and ex-military types staffing their sales suite. I wouldn't be surprised when they finally reveal their product it is a lot less than the hype. Right now its a bit like a movie the movie studio won't give the critics an advanced screening, but has a big advertising budget. Usually that is a sign of a stinker.
I remember the sidewinder. They had a huge marketing campaign aimed at convincing the customer that their firewalls were inpenetrable. Their firewalls didn't sell all that well, and those that did sell, proved to be a colossal failure. I still have a deck of 'sidewinder' playing cards from COMDEX. (Sorry for being off topic, just thought that was funny and brought back some nostalgia) Greg Sean Donelan wrote:
On Wed, 10 Mar 2004, Steven M. Bellovin wrote:
In message <0aa101c40707$eebc2650$dbc21e43@Somi>, "Joshua Brady" writes:
http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm
Comments?
The phrase "seriously bad idea" comes to mind. Other phrases include "illegal", "collateral damage", and "stupid".
Any publicity is good publicity.
They haven't actually explained or shown what their product does. Just a bunch of puffery to get the press to write about them.
In the 1990's another company announced their new security product: "Sidewinder: The firewall that strikes back!" at the National Computer Security Conference in Baltimore. Sidewinder used lots of information warfare quotes from Winn Schwartau and ex-military types staffing their sales suite.
I wouldn't be surprised when they finally reveal their product it is a lot less than the hype. Right now its a bit like a movie the movie studio won't give the critics an advanced screening, but has a big advertising budget. Usually that is a sign of a stinker.
After reading that article, if this product really is capable of 'counter striking DDoS attacks', my assumption is that it will fire packets back at the nodes attacking it. Doing such an attack would not be neither feasible or legal. You would only double the affect that the initial attack caused to begin with, plus you would be attacking hacked machines and not the culprit themselves, thus pouring gasoline all over an already blazing inferno. This product is a bad bad idea and anyone who invests money into it should slap themselves very hard with a metal gauntlet for being so gullible. Greg
In message <0aa101c40707$eebc2650$dbc21e43@Somi>, "Joshua Brady" writes:
http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm
Comments?
On Wed, 10 Mar 2004, Gregory Taylor wrote:
After reading that article, if this product really is capable of 'counter striking DDoS attacks', my assumption is that it will fire packets back at the nodes attacking it. Doing such an attack would not be neither feasible or legal. You would only double the affect that the initial attack caused to begin with, plus you would be attacking hacked machines and not the culprit themselves, thus pouring gasoline all over an already blazing inferno.
On the other hand, they could become immensely popular, reaching the critical mass when one of them detects what is interpreted as an attack from a network protected by another. Grab the popcorn and watch as they all bludgeon each other to death. :-) -- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
Oh yes, lets not forget the fact that if enough sites have this 'firewall' and one of them gets attacked by other sites using this firewall it'll create a nuclear fission sized chain reaction of looping Denial of Service Attacks that would probably bring most major backbone providers to their knees. (Popcorn's in the microwave as I speak) Greg Jay Hennigan wrote:
On Wed, 10 Mar 2004, Gregory Taylor wrote:
After reading that article, if this product really is capable of 'counter striking DDoS attacks', my assumption is that it will fire packets back at the nodes attacking it. Doing such an attack would not be neither feasible or legal. You would only double the affect that the initial attack caused to begin with, plus you would be attacking hacked machines and not the culprit themselves, thus pouring gasoline all over an already blazing inferno.
On the other hand, they could become immensely popular, reaching the critical mass when one of them detects what is interpreted as an attack from a network protected by another. Grab the popcorn and watch as they all bludgeon each other to death. :-)
Gregory Taylor wrote:
Oh yes, lets not forget the fact that if enough sites have this 'firewall' and one of them gets attacked by other sites using this firewall it'll create a nuclear fission sized chain reaction of looping Denial of Service Attacks that would probably bring most major backbone providers to their knees.
Fortunately people with less clue usually have less bandwidth. Obviously there are exceptions. I would expect to see localized tragedies if something like this would get deployed but predicting death of the internet is clueless. Pete
On Thu, 11 Mar 2004, Petri Helenius wrote:
Gregory Taylor wrote:
Oh yes, lets not forget the fact that if enough sites have this 'firewall' and one of them gets attacked by other sites using this firewall it'll create a nuclear fission sized chain reaction of looping Denial of Service Attacks that would probably bring most major backbone providers to their knees.
Fortunately people with less clue usually have less bandwidth. Obviously there are exceptions. I would expect to see localized tragedies if something like this would get deployed but predicting death of the internet is clueless.
Don't be so sure that people with no clue don't have bandwidth, large companies with enourmouse resources sometimes end up with really clueless people at the top and similarly clueless network techs. But reality is it does not matter. Even five years ago, DoS attacks were already usually distributed coming mostly from comprimised servers. Now thanks to Microsoft's constantly buggy software and large deployment of broadband, its so easy for script-kiddies and alike to get hold of computers to be used for such purposes (but at least our unix servers don't get hacked as much...). And I really hate this kind of script-kiddie attitude that if you stike me, I'll strike you back even harder - revenge by the same means is not the answer (and in many cases its not the revenge but they just want to show themselve off as being more daring then the last guy). But then again since in US most people support death penalty and the government itself did not care how many innocent afghans died when they were doing their own revenge, then what are we expecting from the company execs - they might well buy this crap strike-back with a vengence firewall. I do hope, that if it were to happen, it'll quickly become clear that this is totally illegal and both Simbiot and those who bought it will end up in court and bankrupt and that will establish good precidence for the future. But as I mentioned in thread last week and as Sean Donelan mentioned today too - all this looks a like like a publicity hype in the making for a probably crappy product (but not crappy in the way that it'll actually force its users to break the law). We have about 20 days to wait before its released, so lets just wait and see how bad it really is. --- William Leibzon Elan Networks william@elan.net
Fortunately people with less clue usually have less bandwidth.
Don't be so sure that people with no clue don't have bandwidth, large companies with enourmouse resources sometimes end up with really clueless people at the top and similarly clueless network techs.
Most Universities have a large clueless.. um, I mean, student population sitting on 10 or 100 meg switched ports and several hundred meg's to the Internet.... Eric :)
Eric Gauthier wrote:
Most Universities have a large clueless.. um, I mean, student population sitting on 10 or 100 meg switched ports and several hundred meg's to the Internet....
You mis-spelled "faculty, researcher, and staff populations". Today's students (as well as non-trivial portions of the the other populations) tend to be purpose and objective focused, with what the folks on the 19th tee being somewhat less important. -- Requiescas in pace o email
Fortunately people with less clue usually have less bandwidth. Obviously there are exceptions. I would expect to see localized tragedies if something like this would get deployed but predicting death of the internet is clueless.
Hmm thats little comfort if your sharing your cable modem PVC with one of these bozos who goes and maxes out your shared 512k. See thats the thing with DoS attacks, they cause problems for everyone not just the target, from the users sharing with the source host(s) right thro the ISPs carrying the traffic wondering why their usually quiet FE port just went 100% or why their Cisco7200 has 100% CPU and dropped all its BGP and onto the users sharing with the destination who now dont have any bandwidth available. Steve
On Thu, 11 Mar 2004, Petri Helenius wrote:
Gregory Taylor wrote:
Oh yes, lets not forget the fact that if enough sites have this 'firewall' and one of them gets attacked by other sites using this firewall it'll create a nuclear fission sized chain reaction of looping Denial of Service Attacks that would probably bring most major backbone providers to their knees.
Fortunately people with less clue usually have less bandwidth.
When pricing structures and deployment of broadband in the US approaches that of Korea and Japan, I think you'll find that that isn't the case in the US anymore.
Obviously there are exceptions. I would expect to see localized tragedies if something like this would get deployed but predicting death of the internet is clueless.
Pete
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Joel Jaeggli wrote:
On Thu, 11 Mar 2004, Petri Helenius wrote:
Gregory Taylor wrote:
Oh yes, lets not forget the fact that if enough sites have this 'firewall' and one of them gets attacked by other sites using this firewall it'll create a nuclear fission sized chain reaction of looping Denial of Service Attacks that would probably bring most major backbone providers to their knees.
Fortunately people with less clue usually have less bandwidth.
When pricing structures and deployment of broadband in the US approaches that of Korea and Japan, I think you'll find that that isn't the case in the US anymore.
Out of interest, do the people see much in the way of DDOS attacks from Japan? All that bandwidth and quite a sizable population (130 million) - but maybe the latency to US and European targets contrains it? Sam
Sam Stickland wrote:
Out of interest, do the people see much in the way of DDOS attacks from Japan? All that bandwidth and quite a sizable population (130 million) - but maybe the latency to US and European targets contrains it?
Most attacks are unidirectional so the latency does not matter. Pete
Joel Jaeggli wrote:
When pricing structures and deployment of broadband in the US approaches that of Korea and Japan, I think you'll find that that isn't the case in the US anymore.
If you have two items, travelling at different speeds and the one ahead goes faster, they never approach each other but the distance grows. Both go forward though. So I fail to see the problem. Most US broadband or semi-broadband users are on infrastructure which cannot be reasonably upgraded to the bandwidth offered in South Korea without forklift upgrades and digging up the streets. With the amount of clue present, it´s unlikely that the upstream bandwidth in US or most of Europe will grow substantially over the next five years. Pete
On Sun, 14 Mar 2004, Petri Helenius wrote:
With the amount of clue present, it´s unlikely that the upstream bandwidth in US or most of Europe will grow substantially over the next five years.
Heh, thats the kind of quote that comes back to haunt you 5 years down the line :) Steve
Two words (well...one hyphenated-reference): spoofed-source bah, --ra -- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?.. On Wed, Mar 10, 2004 at 11:50:56PM -0800, Gregory Taylor said something to the effect of:
Oh yes, lets not forget the fact that if enough sites have this 'firewall' and one of them gets attacked by other sites using this firewall it'll create a nuclear fission sized chain reaction of looping Denial of Service Attacks that would probably bring most major backbone providers to their knees.
(Popcorn's in the microwave as I speak)
Greg
Jay Hennigan wrote:
On Wed, 10 Mar 2004, Gregory Taylor wrote:
After reading that article, if this product really is capable of 'counter striking DDoS attacks', my assumption is that it will fire packets back at the nodes attacking it. Doing such an attack would not be neither feasible or legal. You would only double the affect that the initial attack caused to begin with, plus you would be attacking hacked machines and not the culprit themselves, thus pouring gasoline all over an already blazing inferno.
On the other hand, they could become immensely popular, reaching the critical mass when one of them detects what is interpreted as an attack from a network protected by another. Grab the popcorn and watch as they all bludgeon each other to death. :-)
On Thursday, March 11, 2004 2:43 AM [EST], Jay Hennigan <jay@west.net> wrote:
On the other hand, they could become immensely popular, reaching the critical mass when one of them detects what is interpreted as an attack from a network protected by another. Grab the popcorn and watch as they all bludgeon each other to death. :-)
Sounds like efnet channel wars on a much more interesting scale. Like I've said in previous posts - do we really want these people having tools like this? Doesn't this make them the equivelant of 'script kiddies'? How the hell could a company put something like this out, and expect not to get themselves sued to the moon and back when it fires a shot at an innocent party? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <bruns@2mbit.com> wrote:
Sounds like efnet channel wars on a much more interesting scale.
Like I've said in previous posts - do we really want these people having tools like this? Doesn't this make them the equivelant of 'script kiddies'?
How the hell could a company put something like this out, and expect not to get themselves sued to the moon and back when it fires a shot at an innocent party?
I hit send way to fast, heh. Whats going to happen when they find a nice little exploit in these buggers (even if they have anti-spoof stuff in them) that allows the kids to take control of them or trick them into attacking innocents? Instead of thousands of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use the current trojans? No product is 100% secure (especially not something that runs under Windows, but thats another issue), so how are they going to deliver updates? Or make sure that the thing is configured right? I could see blacklists (BGP based) cropping up of these systems, so that you can filter these networks from ever being able to come near your network. This is starting to sound more and more like a nuclear arms race - on one side we have company a, on the other company b. Company A fears that B will attack it, so they get this super dooper nuclear strike system. Company B follows suit and sets one up as well. Both then increase their bandwidth, outdoing the other until finally, script kiddie comes along, and spoofs a packet from A to B, and B attacks A, and A responds with its own attack. ISPs hosting the companies fall flat on their face from the attack, the backbone between the two ISPs gets lagged to death, and stuff starts griding to a halt for others caught in the crossfire. So, and who thinks that this is a good idea? :) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
My mom likes the idea, she thinks it'll help her get her hotmail faster. (shrugs) Brian Bruns wrote:
On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <bruns@2mbit.com> wrote:
Sounds like efnet channel wars on a much more interesting scale.
Like I've said in previous posts - do we really want these people having tools like this? Doesn't this make them the equivelant of 'script kiddies'?
How the hell could a company put something like this out, and expect not to get themselves sued to the moon and back when it fires a shot at an innocent party?
I hit send way to fast, heh.
Whats going to happen when they find a nice little exploit in these buggers (even if they have anti-spoof stuff in them) that allows the kids to take control of them or trick them into attacking innocents? Instead of thousands of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use the current trojans?
No product is 100% secure (especially not something that runs under Windows, but thats another issue), so how are they going to deliver updates? Or make sure that the thing is configured right? I could see blacklists (BGP based) cropping up of these systems, so that you can filter these networks from ever being able to come near your network.
This is starting to sound more and more like a nuclear arms race - on one side we have company a, on the other company b. Company A fears that B will attack it, so they get this super dooper nuclear strike system. Company B follows suit and sets one up as well. Both then increase their bandwidth, outdoing the other until finally, script kiddie comes along, and spoofs a packet from A to B, and B attacks A, and A responds with its own attack. ISPs hosting the companies fall flat on their face from the attack, the backbone between the two ISPs gets lagged to death, and stuff starts griding to a halt for others caught in the crossfire.
So, and who thinks that this is a good idea? :)
On Thu, Mar 11, 2004 at 03:21:29AM -0500, Brian Bruns said something to the effect of:
On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <bruns@2mbit.com> wrote:
..snip snip..
How the hell could a company put something like this out, and expect not to get themselves sued to the moon and back when it fires a shot at an innocent party?
Caution: 'innocent' is not the buzzword here. Subscribers: check your respective AUPs. You will likely find explicit prohibition of any malicious and generally unsolicited traffic generated by a node in your control, and I don't think that self-defense has an extenuation clause or special case appendix therein. You attack an attacker, he, too, can pursue you legally. There are not provisions made for DoS-ing a DoS-er. Vigilante nonsense is discouraged.
..snip snip..>
Whats going to happen when they find a nice little exploit in these buggers (even if they have anti-spoof stuff in them) that allows the kids to take control of them or trick them into attacking innocents? Instead of thousands of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use the current trojans?
This won't even require a exploit to effect. These boxes can likely be used to do the bidding of miscreants with some simply-crafted packets and source spoofing. This thing could become something akin to a smurf amp with a big-time attitude problem. Anti-spoof rules will afford a modicum of reverse-path protection, but not enough to swat away the majority of inbound crafted traffic. This stupid PoS appliance would have to be installed and widely-deployed provider-side to discern on such a level. This would become the stuff of yet-another-botnet.
No product is 100% secure (especially not something that runs under Windows, but thats another issue), so how are they going to deliver updates?
This is the least of their concerns; update management is already done effectively and easily by most IDS, anti-virii, and other signature-based appliance manufacturers. Snakeoil salesmen offer at the most basic a valid means of distributing updates, even.
Or make sure that the thing is configured right?
Now _that_ is a real problem. Given that no one has beaten the creators with the illustrious clue stick and anyone who'd truly subscribe to this thing is likely mis-wired him/herself, I would guess that poor configuration is an engineering cornerstone on which this entire debacle desperately depends. Flog the scoundrels. ymmv, --ra -- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?..
I could see blacklists (BGP based) cropping up of these systems, so that you can filter these networks from ever being able to come near your network.
This is starting to sound more and more like a nuclear arms race - on one side we have company a, on the other company b. Company A fears that B will attack it, so they get this super dooper nuclear strike system. Company B follows suit and sets one up as well. Both then increase their bandwidth, outdoing the other until finally, script kiddie comes along, and spoofs a packet from A to B, and B attacks A, and A responds with its own attack. ISPs hosting the companies fall flat on their face from the attack, the backbone between the two ISPs gets lagged to death, and stuff starts griding to a halt for others caught in the crossfire.
So, and who thinks that this is a good idea? :) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org
The Abusive Hosts Blocking List http://www.ahbl.org
At 02:25 AM 3/11/2004, Gregory Taylor wrote:
After reading that article, if this product really is capable of 'counter striking DDoS attacks', my assumption is that it will fire packets back at the nodes attacking it. Doing such an attack would not be neither feasible or legal. You would only double the affect that the initial attack caused to begin with, plus you would be attacking hacked machines and not the culprit themselves, thus pouring gasoline all over an already blazing inferno.
Plus imagine an attack originates behind one of these devices for some reason attacking another device. It'll just create a massive loop. :) That would be interesting. Vinny Abello Network Engineer Server Management vinny@tellurian.com (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
VA> Date: Thu, 11 Mar 2004 08:12:04 -0500 VA> From: Vinny Abello VA> Plus imagine an attack originates behind one of these devices VA> for some reason attacking another device. It'll just create a VA> massive loop. :) That would be interesting. I wonder if it pays attention to the "evil bit"? ;) Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.
Mmm. A firewall that lands you immediately in hot water with your ISP and possibly in a courtroom, yourself. Hot. Legality aside... I don't imagine it would be too hard to filter these retaliatory packets, either. I expect that this would be more wad-blowing than cataclysm after the initial throes, made all the more ridiculous by the nefarious realizing the new attack mechanism created by these absurd boxen. A new point of failure and an amplifier rolled all into one! Joy! More buffoonery contributed to the miasma. Nice waste of time, Symbiot. Thanks for the pollution, and shame on the dubious ZDnet for perpetuating this garbage. ymmv, --ra -- rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?.. On Wed, Mar 10, 2004 at 11:25:20PM -0800, Gregory Taylor said something to the effect of:
After reading that article, if this product really is capable of 'counter striking DDoS attacks', my assumption is that it will fire packets back at the nodes attacking it. Doing such an attack would not be neither feasible or legal. You would only double the affect that the initial attack caused to begin with, plus you would be attacking hacked machines and not the culprit themselves, thus pouring gasoline all over an already blazing inferno.
This product is a bad bad idea and anyone who invests money into it should slap themselves very hard with a metal gauntlet for being so gullible.
Greg
In message <0aa101c40707$eebc2650$dbc21e43@Somi>, "Joshua Brady" writes:
http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm
Comments?
Yes, lets allow the kiddies who already get away with as little work as they can in order to produce the most destruction they can, the ability to use these 'Security Systems' as a new tool for DoS attacks against their enemies. Scenerio: Lets say my name is: l33th4x0r I want to attack joeblow.cable.com because joeblow666 was upset that I called his mother various inappropriate names. I find IP for joeblow.cable.com to be 192.168.69.69 I find one of these 'security' systems, or multiple security systems, and i decide to forge a TCP attack from 192.168.69.69 to these 'security systems'. These 'security systems' then, thinking joeblow is attacking their network, will launch a retaliatory attack against the offender, 192.168.69.69 thus destroying his connectivity. Kiddie 1 Joeblow 0 The Internet as a whole 0 Greg Rachael Treu wrote:
Mmm. A firewall that lands you immediately in hot water with your ISP and possibly in a courtroom, yourself. Hot.
Legality aside...
I don't imagine it would be too hard to filter these retaliatory packets, either. I expect that this would be more wad-blowing than cataclysm after the initial throes, made all the more ridiculous by the nefarious realizing the new attack mechanism created by these absurd boxen. A new point of failure and an amplifier rolled all into one! Joy!
More buffoonery contributed to the miasma. Nice waste of time, Symbiot. Thanks for the pollution, and shame on the dubious ZDnet for perpetuating this garbage.
ymmv, --ra
If you wanted to do that, wouldn't the firewall just need directed-broadcast left open or emulate similar behavior, or even turning ip unreachables back on? Flooding pipes accidentally is easy enough. Now people are selling products to do it deliberately. Yeesh. I saw a license plate this week (Virginia -IWTFM) I thought that was clever. Deepak Gregory Taylor wrote:
Yes, lets allow the kiddies who already get away with as little work as they can in order to produce the most destruction they can, the ability to use these 'Security Systems' as a new tool for DoS attacks against their enemies.
Scenerio:
Lets say my name is: l33th4x0r
I want to attack joeblow.cable.com because joeblow666 was upset that I called his mother various inappropriate names.
I find IP for joeblow.cable.com to be 192.168.69.69
I find one of these 'security' systems, or multiple security systems, and i decide to forge a TCP attack from 192.168.69.69 to these 'security systems'.
These 'security systems' then, thinking joeblow is attacking their network, will launch a retaliatory attack against the offender, 192.168.69.69 thus destroying his connectivity.
Kiddie 1 Joeblow 0 The Internet as a whole 0
Greg
Rachael Treu wrote:
Mmm. A firewall that lands you immediately in hot water with your ISP and possibly in a courtroom, yourself. Hot.
Legality aside...
I don't imagine it would be too hard to filter these retaliatory packets, either. I expect that this would be more wad-blowing than cataclysm after the initial throes, made all the more ridiculous by the nefarious realizing the new attack mechanism created by these absurd boxen. A new point of failure and an amplifier rolled all into one! Joy!
More buffoonery contributed to the miasma. Nice waste of time, Symbiot. Thanks for the pollution, and shame on the dubious ZDnet for perpetuating this garbage.
ymmv, --ra
Deepak Jain wrote:
If you wanted to do that, wouldn't the firewall just need directed-broadcast left open or emulate similar behavior, or even turning ip unreachables back on?
Flooding pipes accidentally is easy enough. Now people are selling products to do it deliberately.
Maybe there is a lesson to be learned from many RBL operators. To make sure, just send packets to the whole /24 or /16 you got an "attack" packet from. Pete
On Thu, 11 Mar 2004, Laurence F. Sheldon, Jr. wrote:
Petri Helenius wrote:
Maybe there is a lesson to be learned from many RBL operators. To make sure, just send packets to the whole /24 or /16 you got an "attack" packet from.
Which RBL operators flood /24's or /16's? What do they flood them with?
I think he meant that RBLs sometimes include entire /24 in RBL list when only one or two ips are at fault and some would go even highier to include entire ISP allocation. This is probably talking about SPEWs and alike RBLs -- William Leibzon Elan Networks william@elan.net
william(at)elan.net wrote:
On Thu, 11 Mar 2004, Laurence F. Sheldon, Jr. wrote:
Petri Helenius wrote:
Maybe there is a lesson to be learned from many RBL operators. To make sure, just send packets to the whole /24 or /16 you got an "attack" packet from.
Which RBL operators flood /24's or /16's? What do they flood them with?
I think he meant that RBLs sometimes include entire /24 in RBL list when only one or two ips are at fault and some would go even highier to include entire ISP allocation. This is probably talking about SPEWs and alike RBLs
I thought "RBL" was a tademark of Abovenet or MAPS or somebody. -- Requiescas in pace o email
On Thursday, March 11, 2004 6:16 PM [EST], william(at)elan.net <william@elan.net> wrote:
Which RBL operators flood /24's or /16's? What do they flood them with?
I think he meant that RBLs sometimes include entire /24 in RBL list when only one or two ips are at fault and some would go even highier to include entire ISP allocation. This is probably talking about SPEWs and alike RBLs
That usually only happens when providers ignore abuse reports and don't do something about their abusive customers. Thats how we do it at the AHBL - you ignore abuse reports for long enough and pretend like the problem doesn't exist, you get a /24 listed. You move the spammer to another block, inside your network, and it grows to encompass the new block as well as the old one. And it keeps going from there. Thats how the rima-tde blocks that are in the AHBL got started - single /32s, then as the spam and 419 scams came in faster, it expanded to /24s, and finally after 2 dozen or so /24s blocked, I started going for /20s and larger. Now I've got two /13s, and a /16 of theirs blocked until Telefonica decides to contact us and discuss the situation with the abuse coming from their network. When providers dont act on abuse, you have to put the pressure on. Sometimes, that means forcing their legit customers to start to complain and thow a fit with their provider over the blocks. Yes, its ugly and unfair, but thats the only way to get them to act. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
On Thu, Mar 11, 2004 at 04:10:04PM -0500, Deepak Jain said something to the effect of:
If you wanted to do that, wouldn't the firewall just need directed-broadcast left open or emulate similar behavior, or even turning ip unreachables back on?
Exactly my point in using the word "amplifier" earlier. No special config or sploit-du-jour required. The play-by-play below is even more complicated than the process.
Flooding pipes accidentally is easy enough. Now people are selling products to do it deliberately.
They'll be sorry.
Yeesh.
I saw a license plate this week (Virginia -IWTFM) I thought that was clever.
Nice. :D
-- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?..
Deepak
Gregory Taylor wrote:
Yes, lets allow the kiddies who already get away with as little work as they can in order to produce the most destruction they can, the ability to use these 'Security Systems' as a new tool for DoS attacks against their enemies.
Scenerio:
Lets say my name is: l33th4x0r
I want to attack joeblow.cable.com because joeblow666 was upset that I called his mother various inappropriate names.
I find IP for joeblow.cable.com to be 192.168.69.69
I find one of these 'security' systems, or multiple security systems, and i decide to forge a TCP attack from 192.168.69.69 to these 'security systems'.
These 'security systems' then, thinking joeblow is attacking their network, will launch a retaliatory attack against the offender, 192.168.69.69 thus destroying his connectivity.
Kiddie 1 Joeblow 0 The Internet as a whole 0
Greg
Rachael Treu wrote:
Mmm. A firewall that lands you immediately in hot water with your ISP and possibly in a courtroom, yourself. Hot.
Legality aside...
I don't imagine it would be too hard to filter these retaliatory packets, either. I expect that this would be more wad-blowing than cataclysm after the initial throes, made all the more ridiculous by the nefarious realizing the new attack mechanism created by these absurd boxen. A new point of failure and an amplifier rolled all into one! Joy!
More buffoonery contributed to the miasma. Nice waste of time, Symbiot. Thanks for the pollution, and shame on the dubious ZDnet for perpetuating this garbage.
ymmv, --ra
Leaving directed-bcast open would accomplish this on these devices, as well as many others. A bigger problem here is that these irresponsible network polyps would offer an icmp-independent amplifier. They essentially open smurf amplification to any other protocol. Whereas a network might clobber icmp at its border(s), a tcp or udp attack on a "friendly" port would elicit the same effect as the ping-of-death of old, and be permitted traversal of the traditional front lines of defense. Contrbuting to firewalking and general network recon, the bane of icmp is in its inherent behavior. It is designed to remit success and failure messages disclosing path and node details. This is its sole function, and is therefore non-negotiable and suspect and frequently dropped or monitored by edge devices. tcp and udp, on the other hand, are now being twisted to behave the same way when encountered by these stupid vigilante firewalls: send a (malicious) stream of data, invoke an equal and opposite stream of (malicious) data. The creepy innovators of this nonsense appliance just used the application layer to defile the fundamental nature of ubiquitous protocols. Think about how we generally react when it appears that M$ has done that. Just give the whole bloody Internet a big red button, and train users' crosshairs on the first thing that moves. I'll cheerlead outside the court proceedings when this obnoxious vendor sees its first lawsuit or dissolution hearing. No carrier would allow this on its network, anyway. --ra On Thu, Mar 11, 2004 at 04:10:04PM -0500, Deepak Jain said something to the effect of:
If you wanted to do that, wouldn't the firewall just need directed-broadcast left open or emulate similar behavior, or even turning ip unreachables back on?
Flooding pipes accidentally is easy enough. Now people are selling products to do it deliberately.
Yeesh.
I saw a license plate this week (Virginia -IWTFM) I thought that was clever.
Deepak
Gregory Taylor wrote:
Yes, lets allow the kiddies who already get away with as little work as they can in order to produce the most destruction they can, the ability to use these 'Security Systems' as a new tool for DoS attacks against their enemies.
Scenerio:
Lets say my name is: l33th4x0r
I want to attack joeblow.cable.com because joeblow666 was upset that I called his mother various inappropriate names.
I find IP for joeblow.cable.com to be 192.168.69.69
I find one of these 'security' systems, or multiple security systems, and i decide to forge a TCP attack from 192.168.69.69 to these 'security systems'.
These 'security systems' then, thinking joeblow is attacking their network, will launch a retaliatory attack against the offender, 192.168.69.69 thus destroying his connectivity.
Kiddie 1 Joeblow 0 The Internet as a whole 0
Greg
Rachael Treu wrote:
Mmm. A firewall that lands you immediately in hot water with your ISP and possibly in a courtroom, yourself. Hot.
Legality aside...
I don't imagine it would be too hard to filter these retaliatory packets, either. I expect that this would be more wad-blowing than cataclysm after the initial throes, made all the more ridiculous by the nefarious realizing the new attack mechanism created by these absurd boxen. A new point of failure and an amplifier rolled all into one! Joy!
More buffoonery contributed to the miasma. Nice waste of time, Symbiot. Thanks for the pollution, and shame on the dubious ZDnet for perpetuating this garbage.
ymmv, --ra
-- rachael treu rara@navigo.com ..quis costodiet ipsos custodes?..
On 10.03 20:55, Steven M. Bellovin wrote:
The phrase "seriously bad idea" comes to mind. Other phrases include "illegal", "collateral damage", and "stupid".
Those plus "escalation of agression" and "uncontrollable feedback loop". Daniel Karrenberg PS: I will spare you the re-run of a recent discussion I had with some 5-year-olds, but there *is* a certain similarity.
On Wed, 10 Mar 2004, Joshua Brady wrote:
http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm Comments?
This is not really a comment about this article. But I really think it would have been better if people don't just put the link and then say "comments" but actually posted most important part of the article. In this case it should have been mentioned that is another article about Symbiot (remember thread about it just last week) and their threatened counter-strike anti-dos system... Here ared some quotes from this article: <quote from above listed url; ... = snip> Symbiot launches DDoS counter-strike tool Munir Kotadia ZDNet UK March 10, 2004, e5:15 GMT ... In advance of the product launch, Symbiot's president, Mike Erwin, and its chief scientist, Paco Nathan, have outlined a set of "rules of engagement for information warfare" ... The company said it bases its theory on the military doctrine of "necessity and proportionality", which means the response to an attack is proportionate to the attack's ferocity. According to the company, a response could range from "profiling and blacklisting upstream providers" or it could be escalated to launch a "distributed denial of service counter-strike" ... Governments could soon be using hacker tools for law enforcement and the pursuit of justice, according to an expert on IT and Internet law. Joel Reidenberg, professor of law at New York-based Fordham University, believes it likely that denial of service attacks (DoS) and packet-blocking technology will be employed by nation states to enforce their laws. This could even include attacks on companies based in other countries, he says. </quote> To be fair I choose specific parts of the article and it does list views and concern of some security experts <other quotes from same article> ... Security experts expressed alarm at the company's plans. Graham Titterington, principal analyst at Ovum, said "such a counterattack wo,ld not be regarded as self-defence and would therefore be an attack. It would be illegal in those jurisdictions where an anti-hacking law is in place. " He added that because many hacking and DDoS attacks are launched from hijacked computers, the system would be unlikely to find its real target: "Attacks are often launched from a site that has been hijacked, making it an unwitting and innocent -- although possibly slightly negligent -- party." Richard Starnes, director of incident response at Cable and Wireless Managed Security Services, said he would not employ an "active defence technique" because there are legal and ethical issues involved. Also, he would not be happy about any product "specifically designed to launch attacks" being put into commercial production. Starnes said it would be easy to hit the wrong target and even if it was the right target, there could be collateral damage: "You may be taking out grandma's computer in Birmingham that has got a 100-year-old cookie recipe that has not been backed up. The attack could also knock over a Point of Presence (PoP), so you are not only attacking the target, but also the feeds before them -- this means taking out ISPs, businesses and home users." </other quotes>
The company said it bases its theory on the military doctrine of "necessity and proportionality", which means the response to an attack is proportionate to the attack's ferocity. According to the company, a response could range from "profiling and blacklisting upstream providers" or it could be escalated to launch a "distributed denial of service counter-strike" ...
Their ROE white paper is full of pseudo-military phraseology that suggests lots of safeguards in place to respond only to verifiably culpable adversaries and to ensure responsible executive oversight.....right up to the point when they start talking about distributed denial of service counterattacks (under the heading which they refer to as "assymmetric measures"). I wonder, are they planning to launch these DDoS attacks from compromised hosts belonging to unwitting accomplices like the bad guys do? Or by enlisting the computing resources of all Symbiot customers (i.e., if customer A gets attacked, hosts at customers B, C, and D are employed in the retailiation)? I'm assuming they use the term "distributed" advisedly. Either way, it sounds illegal by design.
On Wed, 10 Mar 2004, Mark Borchers wrote:
The company said it bases its theory on the military doctrine of "necessity and proportionality", which means the response to an attack is proportionate to the attack's ferocity. According to the company, a response could range from "profiling and blacklisting upstream providers" or it could be escalated to launch a "distributed denial of service counter-strike" ...
Their ROE white paper is full of pseudo-military phraseology that suggests lots of safeguards in place to respond only to verifiably culpable adversaries and to ensure responsible executive oversight.....right up to the point when they start talking about distributed denial of service counterattacks (under the heading which they refer to as "assymmetric measures").
hopefully they will spend their time attacking that pesky attacker: 127.0.0.1... he's always attacking customers, shouldn't he have been caught by now?
participants (22)
-
Brian Bruns
-
Christopher L. Morrow
-
Daniel Karrenberg
-
Deepak Jain
-
E.B. Dreger
-
Eric Gauthier
-
Gregory Taylor
-
Jay Hennigan
-
Joel Jaeggli
-
Joshua Brady
-
Laurence F. Sheldon, Jr.
-
Mark Borchers
-
Petri Helenius
-
Rachael Treu
-
Sam Stickland
-
Sean Donelan
-
Stephen J. Wilcox
-
Steven M. Bellovin
-
Travis Dawson
-
Valdis.Kletnieks@vt.edu
-
Vinny Abello
-
william(at)elan.net