Karl, *You* may wish to make your life more convenient by bringing government force into your relationship with other network providers, why by what divine right do you get to impose your convenience on others by force? Just go ahead and filter the offenders. When their customers cannot reach your services, or their server customers get contacted by your customers about the policies of their ISP, either they will change their policies or they will loose customers. It is MUCH more effective to guide business policies by the lure of money than by the gun. Each and every network service I have worked for has, once the benefits of cooperation were pointed out to them, changed their tune. Maybe if it were someone advocating force against YOU you wouldn't be quite so pleased at the prospect as when you think the cavalry is coming to rescue YOU. Curt-
On Tue, Jun 16, 1998 at 12:58:12PM -0700, Curt Howland wrote:
Karl,
*You* may wish to make your life more convenient by bringing government force into your relationship with other network providers, why by what divine right do you get to impose your convenience on others by force?
Uh, I am imposing that same force on myself, if the "bad guys" are on my network and someone needs help from us. What I'm doing is asking for the government to start holding people accountable for attractive nuisances, including vendors of equipment who do nothing about tracability of this kind of attack.
Just go ahead and filter the offenders. When their customers cannot reach your services, or their server customers get contacted by your customers about the policies of their ISP, either they will change their policies or they will loose customers.
It is MUCH more effective to guide business policies by the lure of money than by the gun. Each and every network service I have worked for has, once the benefits of cooperation were pointed out to them, changed their tune.
Look: 1. There is zero excuse for people allowing non-verified traffic in from dial ports. Zero. Its a trivial filter to implement on any RAS box on the market today, including some VERY old ones. If you filter only to the level of what COULD be legal (ie: the pool addresses on the device) that's good enough - it stops the spoofed denial of service attacks. Further, there is no bandwidth or CPU consumptiojn argument on these connections which can be made. This is pure LAZYNESS and nothing more - period. This also applies to the cable modem people, the ADSL people, etc. The only thing in the way of doing this on dedicated lines is reasonable automation (since people on dedicated lines might have their own address space, etc). MOST large ISPs do NO verification on inbound dial packet streams. 2. There is even less than zero excuse for a "fuck you" response from a NOC when you call them with a denial of service issue. Yet this is what we, all too often, get, along with a refusal to transfer to a manager and in some cases, a refusal to give the employee's NAME! The first thing these guys want is a customer ID; don't have one, go straight to hell. This happens ALL the time. In fact, it happens so often that its basically a waste of time to attempt to try to trace an active Smurf today, because the big guys WILL stonewall you. 3. Many of these providers sell "burstable" circuits. They CHARGE MORE to customers when they are abused as smurf amplifiers. Thus, there is a hell of an incentive NOT to do anything about the problem, as bits are bits when it comes to this issue. Now if you bitch they'll remove the charge I'm sure, but how many people won't catch it, especially on DS1s and frac T3s? 4. CISCO and other vendors have NOT stepped up to the plate with an EASY protocol-based way to trace these things. The bottom line is that the users haven't demanded it because its a "not in my back yard" type of problem, and the people who's back yard it IS in (and who are spending the most money with CISCO and friends) are not motivated to fix it. 5. It is the smaller provider and customer who gets hurt by this. We can survive 99% of all smurf attempts without damage. Our T1 downstream customers? They're screwed. A T1-connected ISP? They're screwed as well. We don't get flooded off the network when it happens, which is why a "bounce at the border" strategy works for us. IT DOES NOT WORK FOR OUR CUSTOMERS, AS ONCE IT GETS TO THEM THE LINE IS CONSUMED AND TOSSING THE TRAFFIC IS POINTLESS! 6. Since you need significant bandwidth to BE a good smurf amplifier, guess who makes the "best" ones? Big ISP's internal infrastructure points, and fat-pipe (ie: DS3+) connected organizations. The DS1 connected guy is a poor smurf source, since you need a lot of them in concert to hurt significant ISPs badly these days. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost
Karl,
2. There is even less than zero excuse for a "fuck you" response from a NOC when you call them with a denial of service issue. Yet this is what we, all too often, get, along with a refusal to transfer to a manager and in some cases, a refusal to give the employee's NAME! The first thing these guys want is a customer ID; don't have one, go straight to hell.
I suspect including information about response from NOCs in the canonical smurf amplifier registry would be instructive. Regards, -drc
On Wed, Jun 17, 1998 at 09:07:50AM +0800, David R. Conrad wrote:
Karl,
2. There is even less than zero excuse for a "fuck you" response from a NOC when you call them with a denial of service issue. Yet this is what we, all too often, get, along with a refusal to transfer to a manager and in some cases, a refusal to give the employee's NAME! The first thing these guys want is a customer ID; don't have one, go straight to hell.
I suspect including information about response from NOCs in the canonical smurf amplifier registry would be instructive.
Regards, -drc
That's simple. Follow the question path below to obtain your answer: 1. Is the network provider "next in the chain" a large national concern in the United States? 2. If yes, don't bother wasting your time. You will be told one of: a) We don't know what you're talking about <click> b) We'll contact security (two hours later, after the attack is over and is no longer traceable, they call back) c) What's your customer number? Oh, you're not a customer? Sorry. <click> 3. If no, you will be told one of: a) We don't know how to trace that <click> b) The source address isn't ours, sorry, we can't help you <click> I have yet to have *ONE* Smurf attack, even ones which go on for an hour or more, successfully traced back to the source. At some point in the chain before you get to the source you WILL get one of the above answers. This is why the government needs to get involved and *demand* that the ability exist via a *protocol* for people in a NOC to initiate and follow these traces automatically, without human intervention by the NOCs in the chain. What I would love to see is: "trace-smurf <forged-victim-address> <amplifier-address>" <return> This would launch a trace which: 1. Looks "upstream" automatically for the destination address flow that matches the "victim" and amplifier, until it gets there (basically, set a "trap" condition for the address pair tuple, and then wait a few seconds for it to come through). 2. Determines the broadcast address for the interface which caused the smurf to be amplified. 3. Substitutes the broadcast address for the amplifier address, and then repeat upstream further until you get to the router where the victim/amplifier address pair is originating. 4. Displays its progress, much like a traceroute, as it is doing so, including the "turning point" where it is searching for the source as opposed to the amplifier. Hopefully we can get the ASNs along the way too (ala CISCO). This would NAIL the source of these things, be quick to execute, and put the nail in the coffin of the smurfer kiddies. Once you've identified the source of the attacks you now can direct the legal people to the right place, *AND* drop them from your list of people you will accept traffic from if you'd like. The trick is that you don't have to call anybody, and you can execute a trace in a few seconds to a minute tops. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost
1. Is the network provider "next in the chain" a large national concern in the United States?
2. If yes, don't bother wasting your time. You will be told one of: a) We don't know what you're talking about <click> b) We'll contact security (two hours later, after the attack is over and is no longer traceable, they call back) c) What's your customer number? Oh, you're not a customer? Sorry. <click> Sometimes, they (quickly) filter out this attack. Through I did not hear about any successfull tracing.
3. If no, you will be told one of: a) We don't know how to trace that <click> b) The source address isn't ours, sorry, we can't help you <click>
I have yet to have *ONE* Smurf attack, even ones which go on for an hour or more, successfully traced back to the source. At some point in the chain before you get to the source you WILL get one of the above answers.
This is why the government needs to get involved and *demand* that the ability exist via a *protocol* for people in a NOC to initiate and follow these traces automatically, without human intervention by the NOCs in the chain.
What I would love to see is:
"trace-smurf <forged-victim-address> <amplifier-address>" <return> Should you plan to have the distinct sintax for the any kind of attack? Wrong idea.
The main issue is to be able to trace PACKETS by the known SRC or DST address and of the known type. It can be something like - where the packets TCP,SYN,DST=xx.xx.xx.xx are coming from? - where the packets ICMP,ECHO-REQUEST,SRC=xxx.xxx.xxx.xxx are from? Both cases SRC or DST address is YOUR OWN ADDRESS, and it allow you to ask such questions (and prevent you to ask anything about MY internal traffic, for example). If you'll develop anti-smurf system, you'll got SMERF attack and so on. THe most important security hole for todays is the possibility to fraud addresses, and this is complicated by those attacks when the packets frauded are not packets destined to your personally, but the packets with frauded SRC address (replaced to YOUR address). If you can ask the global INTERNET: _this xxx.xxx.xxx.xxx is MY address; where are the packets with this SRC or DST /of the known type/ are coming from - the task is solved, and any attack can be traced (and may be - blocked by the same way) in a 5 minutes.
The trick is that you don't have to call anybody, and you can execute a trace in a few seconds to a minute tops.
-- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
On Tue, Jun 16, 1998 at 12:58:12PM -0700, Curt Howland wrote:
Karl,
*You* may wish to make your life more convenient by bringing government force into your relationship with other network providers, why by what divine right do you get to impose your convenience on others by force?
What's your alternative solution?
Just go ahead and filter the offenders.
This is ok after the fact. But it doesn't work when you're under attack and trying to get help.
It is MUCH more effective to guide business policies by the lure of money than by the gun.
I agree, but I don't think your solution, in this particular case, is the right one.
Maybe if it were someone advocating force against YOU you wouldn't be quite so pleased at the prospect as when you think the cavalry is coming to rescue YOU.
If I was running a backbone, and I refused to help stop a Denial of Service attack, couldn't I be considered to be aiding and abetting the criminal who was performing the DoS? Couldn't I be held liable? I mean, in this case, we're not talking gray areas here, like spamming and/or third-party mail relaying. We're talking about smurfing, an action which is clearly illegal, which clearly causes damage to the target network... If I'm made aware of someone DoS'ing using my network, whether a LAN or, in the backbones' case, a WAN, and I tell the complainant to bugger off, or ignore the situation, I deserve whatever (legal) retaliation I get. Including criminal charges if they apply. Including civil liability. IOW - I agree with Karl. -- Steven J. Sobol - Founding Member, Postmaster/Webmaster, ISP Liaison -- Forum for Responsible & Ethical E-mail (FREE) - Dedicated to education about, and prevention of, Unsolicited Broadcast E-mail (UBE), also known as SPAM. Info: http://www.ybecker.net
*You* may wish to make your life more convenient by bringing government force into your relationship with other network providers, why by what divine right do you get to impose your convenience on others by force?
What's your alternative solution?
As you later point out, a smurf attack is no different than any other denial of service attack. Whether that attack is done by picketters physically preventing customers from entering a store, or pingers preventing network use by overloading circuits, it is *already* prosecutable.
Just go ahead and filter the offenders.
This is ok after the fact. But it doesn't work when you're under attack and trying to get help.
As I said, cooperation cannot be forced. It can be promoted, but if, for an example from my experience, Agis simply ignores your attempts at contact, what good will working with them do anyway?
If I was running a backbone, and I refused to help stop a Denial of Service attack, couldn't I be considered to be aiding and abetting the criminal who was performing the DoS? Couldn't I be held liable?
This precident has been set in the physical world on many occations. So, don't wait for some idiot legislator to write a statute whos purpose is reduntand, and which is written by a non-net person so ends up being violently stupid. If you see harm, prosecute it. Anything and everything that one person can do that harms another, even spam and smurf denial-of-service, is already illegal. What it requires is not waiting for someone else to solve your problems for you, it requires people to take charge of their own lives. I mean, in this case,
we're not talking gray areas here, like spamming and/or third-party mail relaying. We're talking about smurfing, an action which is clearly illegal, which clearly causes damage to the target network...
Exactly. I see you understand.
IOW - I agree with Karl.
Or maybe not. Email has its limitations.
Steven J. Sobol - Founding Member, Postmaster/Webmaster, ISP Liaison -- Forum for Responsible & Ethical E-mail (FREE) - Dedicated to education about, and prevention of, Unsolicited Broadcast E-mail (UBE), also known as SPAM. Info: http://www.ybecker.net
Curt- ...just Curt...
If you see harm, prosecute it. Anything and everything that one person can do that harms another, even spam and smurf denial-of-service, is already illegal. What it requires is not waiting for someone else to solve your problems for you, it requires people to take charge of their own lives.
I think we agree here. I understand your earlier point; if the NOCs at the major NSP's are uncooperative, then e-mailing them isn't going to help much.
IOW - I agree with Karl.
Or maybe not. Email has its limitations.
Perhaps after one or two occasions where the NOC refuses to help we could sic a couple lawyers on 'em. Perhaps, since we're talking about a legal issue here, certified mail saying "you're an accessory to a DoS attack" (or at least "You're aiding and abetting") may work better than e-mail. Thank you, you helped me focus a little better... -- Steven J. Sobol - Founding Member, Postmaster/Webmaster, ISP Liaison -- Forum for Responsible & Ethical E-mail (FREE) - Dedicated to education about, and prevention of, Unsolicited Broadcast E-mail (UBE), also known as SPAM. Info: http://www.ybecker.net
At 12:58 6/16/98 -0700, you wrote:
It is MUCH more effective to guide business policies by the lure of money than by the gun. Each and every network service I have worked for has, once the benefits of cooperation were pointed out to them, changed their tune.
Unfortunately, for some networks, the expense in fixing the problem is a reason not to...just as some networks want the income from spammers more than a good reputation.
Maybe if it were someone advocating force against YOU you wouldn't be quite so pleased at the prospect as when you think the cavalry is coming to rescue YOU.
By advocating any kind of Internet oversight body, he IS advocating the potential use of force against himself. Unfortunately, the root problem is that the cooperative paradigm envisioned in the Internet's creation has been overtaken by human weaknesses. Greed, sloth and a host of other sins interfere with the Utopian vision of the original 'Net and cannot be effectively dealt with by asking offenders nicely to shape up. What do spammers and nails have in common? They're both intended for hammering. Dean Robb PC-Easy On-site computer services (757) 495-EASY [3279]
participants (6)
-
Alex P. Rudnev
-
David R. Conrad
-
Dean Robb
-
howland@Priss.com
-
Karl Denninger
-
Steve Sobol