Re: Solution: Re: Huge smurf attack
Tracking down a smurf amplifier is not a problem. Getting the folks to fix it is a little harder than it should be now, as most of the folks left with open amplifiers have been notified and have to this point refused to fix or are unable to fix it. The real solution is to catch the person starting the attack. Until the 'kiddies' start seeing people paying a price for this, they aren;t going to stop. I could make sure every person on my network is configured so that noone within their network is able to spoof addresses and can't be used as an amplifier, but this will not protect me and my network from attacks aimed towards us. As long as there are networks that allow spoofed addresses, we will be vulnerable. To even consider the fact that every network will eliminate the ability to forge addresses it unrealistic. We can't get folks to stop being amplifiers, how are we going to get them to apply the spoof filters? The only solution that is realistic is to start catching and prosecuting the individuals doing this. This requires total cooperation between Tier 1 providers.. and the ability on all brands of routers to trace this. This is not the case at this time, and I really don't see it heading that way anytime soon. At 10:06 AM 1/14/99 -0600, you wrote:
My only question is do any of you who've been under attack report these
incidents to the FBI and the other appropriate agencies? I understand
that a lot of these places are Universities and Govt. agencies where
finding someone to fix the problem is like running through water, but I
can only wonder if having the FBI get involved in these things would help.
Two agents from the Houston office recently gave a presentation talking
about their new and expanding computer crimes divisions popping up around
the country. They kept harping on protecting the infrastructure of the
nations public networks, and I think helping track down smurf amplifiers
would fall under this.
--
Joseph Shaw - jshaw@insync.net
NetAdmin/Security - Insync Internet Services
Free UNIX advocate - "I hack, therefore I am."
On Thu, 14 Jan 1999, Alex P. Rudnev wrote:
I am not sure about last smurf incident, but don't overestimate _dark
minds_ caused this incident. I am 99.9% shure all (ALL) this incidents
complained about in NANOG was the same _kidscripts_.
This do not mean you should not prevent the possibility of
_cyberterrorism_, and let's this _kid's plays_ help to pay attention to
the security holes we have over the Internet.
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* | Harold Willison AGIS Network Engineering | * Senior Network Engineer 313-730-5151 * | noc@agis.net 313-730-1130 x-5649 | | harold@agis.net 24 hours a day, 7 days a week | | <bold><italic> <underline>http://www.agis.net</underline></italic></bold> |<bold><italic> </italic></bold>\*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*/
On Thu, 14 Jan 1999, Harold Willison wrote:
that is realistic is to start catching and prosecuting the individuals doing this. This requires total cooperation between Tier 1 providers.. and the ability on all brands of routers to trace this. This is not the case at this time, and I really don't see it heading that way anytime soon.
I don't necessarily agree. Going forward we require new vendors to be able to: 1. trace spoof address based attacks in a reasonable time 2. block spoofed attacks from coming from their customers 3. have a mechanism to repair or block amplifying addresses owned by their customers If the vendor won't commit to doing these things, we will not buy service from them. Ask my UUNet rep, she'll testify to this. UUNet is losing a potential $200,000 a month because they are not capable of tracing spoofed attacks. Instead I give my business to GTEI and Digex because both companies have been very cooperative when asked to do these traces. Anyway the point is that when money is involved, leverage is available. These things can be fixed, it's just a matter of applying the right pressure. Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com ICQ: 2269442 Stop Smurf attacks! Configure your router interfaces to block directed broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.
On Thu, Jan 14, 1999 at 06:27:35PM -0500, Brandon Ross wrote:
Anyway the point is that when money is involved, leverage is available. These things can be fixed, it's just a matter of applying the right pressure.
Unfortunately, it is probably a lot easier when your domain is "mindspring.net" than when your domain is, say, "nacs.net" -- much more $$ involved. That having been said, I do agree with you... -- Steve Sobol [sjsobol@nacs.net] Part-time Support Droid [support@nacs.net] NACS Spaminator [abuse@nacs.net] Proud resident of Cleveland Heights, Ohio, the coolest place on earth. http://www.ClevelandHeights.com
On Thu, Jan 14, 1999 at 12:46:44PM -0500, Harold Willison wrote:
Tracking down a smurf amplifier is not a problem. Getting the folks to fix it is a little harder than it should be now, as most of the folks left with open amplifiers have been notified and have to this point refused to fix or are unable to fix it.
Oh, good... then if they refuse to fix their problem, and it can be documented that they refuse to fix their problem, and someone uses them as an amplifier, they can get sued. I hope we have some documentation that these people refuse to do anything. -- Steve Sobol [sjsobol@nacs.net] Part-time Support Droid [support@nacs.net] NACS Spaminator [abuse@nacs.net] Proud resident of Cleveland Heights, Ohio, the coolest place on earth. http://www.ClevelandHeights.com
Btw. For the victim, there is not difference between - - smurf amplifies abused by the hacker; - broken box abused by the hacker to create flood attack; - broken dialup provider abused to send spam. Don't talk about the smurf, talk about badly-secured systems. Open direct-broadcast is one example; open SMTP relay is another one; non-fixed exploit abused to get root access is the third example. This common case is - _someone does not secure his box/lan from abuse; what should we do_. The forths case is (not yet) - ISP does allow to send frauded SRC addresses. On Sat, 16 Jan 1999, Steven J. Sobol wrote:
Date: Sat, 16 Jan 1999 12:35:12 -0500 From: Steven J. Sobol <sjsobol@nacs.net> To: Harold Willison <harold@agis.net> Cc: Joe Shaw <jshaw@insync.net>, nanog@merit.edu Subject: Re: Solution: Re: Huge smurf attack
On Thu, Jan 14, 1999 at 12:46:44PM -0500, Harold Willison wrote:
Tracking down a smurf amplifier is not a problem. Getting the folks to fix it is a little harder than it should be now, as most of the folks left with open amplifiers have been notified and have to this point refused to fix or are unable to fix it.
Oh, good... then if they refuse to fix their problem, and it can be documented that they refuse to fix their problem, and someone uses them as an amplifier, they can get sued. I hope we have some documentation that these people refuse to do anything.
-- Steve Sobol [sjsobol@nacs.net] Part-time Support Droid [support@nacs.net] NACS Spaminator [abuse@nacs.net]
Proud resident of Cleveland Heights, Ohio, the coolest place on earth. http://www.ClevelandHeights.com
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
participants (4)
-
Alex P. Rudnev
-
Brandon Ross
-
Harold Willison
-
Steven J. Sobol