NANOG meeting subject of attack? Hmmmm....
At 06:59 PM 2/8/00 -0500, Paul Ferguson wrote:
See:
I thought the whole point of NANOG was to give the Internet a break - 'cause lord knows it breaks every NANOG....
- paul
TTFN, patrick -- I Am Not An Isp - www.ianai.net ISPF, The Forum for ISPs by ISPs, <http://www.ispf.com> "Think of it as evolution in action." - Niven & Pournelle (Enable? We dunt need no stinkin' enable!!)
On Tue, Feb 08, 2000 at 04:18:16PM -0800, I Am Not An Isp wrote:
At 06:59 PM 2/8/00 -0500, Paul Ferguson wrote:
See:
I thought the whole point of NANOG was to give the Internet a break - 'cause lord knows it breaks every NANOG....
not true. we here at $ISP have found that having our engineers out of town and watching boring powerpoint presentations all day actually enhances network performance and availability. ;-) -- Sam Thomas Geek Mercenary
On Tue, 8 Feb 2000, Paul Ferguson wrote:
not only that, it seems that the DOS is so bad that even UUNet is having to shut down peering points around the West Coast with most of their peers. I guess the only way to 'protect' against something this big would be to follow Pauls RFC and/or have big, fat pipes sitting idle. This is a sad day for the internet. :( Christian
On Tue, 8 Feb 2000, Christian Nielsen wrote:
On Tue, 8 Feb 2000, Paul Ferguson wrote:
I guess the only way to 'protect' against something this big would be to follow Pauls RFC and/or have big, fat pipes sitting idle.
It's my understanding that these recent attacks are DDoS attacks, which really don't need to involve any address spoofing. The MO would look similar to a smurf (many different source addresses bombarding you), but here the negligent (call the lawyers?) party with the hacked Solaris boxes running out-of-the-box configs would not be helped by said RFC, right?
This is a sad day for the internet. :(
Just a reminder that we are working in a anarchic, non-cooperative business, that's all :) Charles
Christian
On Tue, Feb 08, 2000 at 11:47:59PM -0500, Charles Sprickman wrote: ==>It's my understanding that these recent attacks are DDoS attacks, which ==>really don't need to involve any address spoofing. The MO would look ==>similar to a smurf (many different source addresses bombarding you), but ==>here the negligent (call the lawyers?) party with the hacked Solaris boxes ==>running out-of-the-box configs would not be helped by said RFC, right? Yes and no. The ability to track the perpetrators back to the source would be enough to scare some of these kids away. For those who weren't scared away, the resultant (and easy) traceback and subsequent arrest, conviction, and jail time would provide even more of an example. As you say, though, they could still carry out attacks with non-spoofed IP's. /cah
Just my $0.02... (please don't flame me saying we already have this if people would ingress filter, etc., I'm just trying to through some "pie in the sky" so to speak) (Flames for being off-topic on nanog are, of course, welcome and expected - regardless of if I'm off topic or not.). A LOT of things would be easier if we could tag everyhting with some sort of unique origin. Yes, source address verification provides this (ingress filtering). If I could definately say that "this attack originated on ISP x's network" or "this spam came from ISP x's customer" and so on, and I had enough information that I could hand ISP x the "session id" or something like that and they could track it back to the customer, then this would make nailing these creaps easier. I have for a long time thought that it might be cool to do something with SMTP so that each customer authenticates to the ISP and all the ISP's authenticate to each other. That way, spam could be tracked to the definate origin ISP and the origin ISP could track it back to the customer. You could then say "I'm only going to talk to other sendmails which will identfy themselves using the xxx trust protocol" That way, you can effectively guarantee that all mail can be tracked back to the source. Some people would raise the privacy issue. First of all, you're already trusting your ISP with your privacy. The type of thing I'm suggesting is something that the public could only track back to the origin ISP and the origin ISP would have to track it to the customer, and/or make the determination whether to release the information or not or to terminate the user or not, or to do nothing or not. That way, if you're posting "anonomously" to a usenet group, your ISP might find out, but unless the ISP makes it "public" noone else could find out. Ok, now I've really rambled on here.... Maybe one more paragraph. I think that maybe the real thing I'm suggesting is some sort of "web of trust" kinda like the bofh (or maybe better yet usenet 2) usenet feed, where everyone in the "web of trust" has to follow the rules and if they don't they can be removed. Eventually, you can say "I'm only listening to AS's which are on the "clean list" which means they at least follow the anti-spoof provisions of the RFC." The real question would be how to get something like this going and since IANAL, whether the lawyers would have a heyday with this. - Forrest W. Christian (forrestc@imach.com) KD7EHZ ---------------------------------------------------------------------- iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com Solutions for your high-tech problems. (406)-442-6648 ----------------------------------------------------------------------
At 10:18 PM 02/08/2000 -0800, Craig A. Huegen wrote:
Yes and no. The ability to track the perpetrators back to the source would be enough to scare some of these kids away. For those who weren't scared away, the resultant (and easy) traceback and subsequent arrest, conviction, and jail time would provide even more of an example.
Exactly. I think may people miss that subtle point.... - paul
participants (7)
-
Charles Sprickman -
Christian Nielsen -
Craig A. Huegen -
Forrest W. Christian -
I Am Not An Isp -
Paul Ferguson -
Sam Thomas