Reporting Little Blue Men

Eric Wieling

20 Jan 1998 20 Jan '98

9:45 a.m.

Just about every night someone(s) tries to use us as the "innocent third party" in smurf attacks. Of course, we block and log all the broadcast packets. Is there any point in trying to report these attacks? Who would we report them to? We don't know what the source is, after all the address is spoofed. It seems kind of pointless to notify the victim -- they already know they have been smurfed. I want to do my part to try to stop attacks, but I'm baffled on this one. --Eric -- Eric Wieling (eric@ccti.net), Chesapeake Communications Corporation Sales: sales@ccti.net 504-585-1850, Support: support@ccti.net 504-525-5449 We have changed our name! Corporate Communications Technology is now known as Chesapeake Communications Corporation.

Show replies by date

Adrian Bool

20 Jan 20 Jan

2:09 p.m.

On Tue 20 Jan, Eric Wieling wrote:

...

Just about every night someone(s) tries to use us as the "innocent third party" in smurf attacks. Of course, we block and log all the broadcast packets.

Is there any point in trying to report these attacks? Who would we report them to? We don't know what the source is, after all the address is spoofed. It seems kind of pointless to notify the victim -- they already know they have been smurfed.

I want to do my part to try to stop attacks, but I'm baffled on this one.

If you can tell which interface it enters your network (and from which router if at an exchange) notify the next hop towards the source... then if they follw the same procdure eventually the culprit may be found... aid -- Adrian J Bool | mailto:aid@u-net.net Network Operations | http://www.noc.u-net.net/ U-NET Ltd, UK | tel://44.1925.484461/

Dean Anderson

7:03 p.m.

At 9:45 AM -0500 1/20/98, Eric Wieling wrote: You should be able to figure out what interfaces they are comming in on. That's the first step.

...

Is there any point in trying to report these attacks? Who would we report them to? We don't know what the source is, after all the address is spoofed. It seems kind of pointless to notify the victim -- they already know they have been smurfed.

You report them to the FBI. See "Firewalls and Internet Security" by Cheswick and Bellovin, and "Unix System Security" by Curry. Does that help? Yes and no. There are several laws being violated, but the FBI basically isn't getting involved in the spam wars. The first violators were the anti-spammers who put in the blocking. The second violators were the spammers who use relaying to get around that. Anti-spammers are illegally intercepting (blocking) electronic communications, and reading email, and the spammers are illegally exceeding their authorization to access computers. The anti-spammers are illegally preventing access to computers and networks engaged in interstate commerce. Anti-spammers illegally exceed their authority to cancel usenet messages. Spammers try to post messages faster than they can be canceled. Electronic packet wars with each side trying to out-send the other. The FBI is aware of this. I think the FBI is reticent to get involved since there is essentially an electronic riot in progress, and they don't have the resources to arrest all the involved parties. Since no one is getting physically injured and no money is being stolen, I think they are just waiting to see what happens. Perhaps they think it will blow over. Or perhaps they just don't think it important enough to get involved in. Perhaps its just the largest flame war in the history of the planet, and shouldn't be taken too seriously. Evidence is hard to gather and prosecute. I suppose that some on this list are ill-disposed to accept they are breaking any laws. I doubt anyone wants to argue this on this list. So I won't. But you should note that both authors also indicate that (from Cheswick and Bellovin, page 205): "Computing and electronic communications service providers are more limited in their right to monitor user activity. Just as the phone company personnel may not, in general, listen to your calls, employees of a public electronic mail service may not read your messages, whether in transit or stored." There will be more detailed information in our spam policy. I'm working on a spam policy which may be viewed at http://www.av8.com/spampolicy.html It includes all the laws that are being broken by all the parties. It's still a draft, but the main points are there.

...

I want to do my part to try to stop attacks, but I'm baffled on this one.

Here's what you can do: Get people to stop illegally blocking spam, and then get the spammers to stop illegally using relays. Once the network and online providers obey the law, you can ask the spammers to obey the law, too. It's pretty pointless to only ask one group to obey the law. It's pretty unlikely the FBI will step in to enforce the law on only group while allowing the other group break the law. At some point, perhaps we can take a list of violators to the FBI and ask them to restore order and enforce the laws on spammer and anti-spammer violators. --Dean ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Martin Hannigan

7:32 p.m.

...

At 9:45 AM -0500 1/20/98, Eric Wieling wrote:

You should be able to figure out what interfaces they are comming in on. That's the first step.

...
Is there any point in trying to report these attacks? Who would we report them to? We don't know what the source is, after all the address is spoofed. It seems kind of pointless to notify the victim -- they already know they have been smurfed.

You report them to the FBI. See "Firewalls and Internet Security" by Cheswick and Bellovin, and "Unix System Security" by Curry.

Why not spend the time securing the system instead? [ snip ]

...

I suppose that some on this list are ill-disposed to accept they are breaking any laws. I doubt anyone wants to argue this on this list. So I won't.

Thanks. There are already plenty of places to troll, but please, not here.

Jordyn A. Buchanan

7:55 p.m.

At 7:03 PM -0500 1/20/98, Dean Anderson wrote:

...

You report them to the FBI. See "Firewalls and Internet Security" by Cheswick and Bellovin, and "Unix System Security" by Curry.

Does that help? Yes and no. There are several laws being violated, but the FBI basically isn't getting involved in the spam wars. The first violators were the anti-spammers who put in the blocking. The second violators were the spammers who use relaying to get around that. Anti-spammers are illegally intercepting (blocking) electronic communications, and reading email, and the spammers are illegally exceeding their authorization to access computers. The anti-spammers are illegally preventing access to computers and networks engaged in interstate commerce. Anti-spammers illegally exceed their authority to cancel usenet messages. Spammers try to post messages faster than they can be canceled. Electronic packet wars with each side trying to out-send the other.

I'm not sure what the issue of spammers vs. anti-spammers has to do with the general case of smurf attacks. While I'm sure that some subset of the smurf attacks that take place may have something to do with this "conflict", there's no reason to believe that smurf attacks generally have anything to do with spam-blocks or spam relays.

...

But you should note that both authors also indicate that (from Cheswick and Bellovin, page 205): "Computing and electronic communications service providers are more limited in their right to monitor user activity. Just as the phone company personnel may not, in general, listen to your calls, employees of a public electronic mail service may not read your messages, whether in transit or stored." There will be more detailed information in our spam policy.

None of the commentary regarding spam blocks being an illegal "interception" of electronic communication is borne out by recent case law. Both AOL and CompuServe have won cases that essentialy bear out their right to block e-mail from certain sources at their discretion. There are a wide variet of legal arguments that could be made here, but the current state of the law seems to bear no resemblance to the picture that Mr. Anderson is trying to paint above. Back to the original question posed by Eric Wieling:

...

Is there any point in trying to report these attacks? Who would we report them to? We don't know what the source is, after all the address is spoofed. It seems kind of pointless to notify the victim -- they already know they have been smurfed.

As others have pointed out, identifying the interface the packets are coming in from would allow you to start the tracing process. (Okay, blatant generalizing now. I realize there are exceptions...) However, based on my experience with the providers we buy transit from, I have a feeling you wouldn't get much of a response from most of the people you get on the phone. There doesn't seem to be much incentive for a NOC to track a smurf attack that is simply passing through their network, and NOC security teams seem generally unwilling to spend time on issues that aren't affecting them. Jordyn |----------------------------------------------------------------| |Jordyn A. Buchanan mailto:jordyn@bestweb.net | |Bestweb Corporation http://www.bestweb.net | |Senior System Administrator +1.914.271.4500 | |----------------------------------------------------------------|

M. David Leonard

9:30 p.m.

On Tue, 20 Jan 1998, Dean Anderson wrote:

...

Here's what you can do:

Get people to stop illegally blocking spam, and then get the spammers to stop illegally using relays. Once the network and online providers obey the law, you can ask the spammers to obey the law, too. It's pretty pointless to only ask one group to obey the law. It's pretty unlikely the FBI will step in to enforce the law on only group while allowing the other group break the law.

Am I missing something here? Since when was a law passed making it illegal to block spam? Or is this wishful thinking on Dean's part? David

Dave Siegel

21 Jan 21 Jan

10:44 a.m.

...

all the involved parties. Since no one is getting physically injured and no money is being stolen, I think they are just waiting to see what

Who says no money is being stolen? Every time a UCE is delivered to my server, someone out there has stolen resources from me. Resources *are* money. Everytime a network is smurfed, network resources have been stolen. It's just like as if someone out there set up an auto-dialer to tie up a businesses fax machine, or busy up all their lines.

...

But you should note that both authors also indicate that (from Cheswick and Bellovin, page 205): "Computing and electronic communications service providers are more limited in their right to monitor user activity. Just as the phone company personnel may not, in general, listen to your calls, employees of a public electronic mail service may not read your messages, whether in transit or stored." There will be more detailed information in our spam policy.

Yes, but if the phone company wishes, they may decide to block certain "rogue" exchanges from reaching their network. I know of no such cases because you have to be a licensed CLEC, and the Internet has no such equivalent. But I have a real hard time swallowing the idea that use of the RBL (for example) might be considered illegal.

...

Get people to stop illegally blocking spam,

Not a bloody chance. I block 500 spams every 24 hours at the system level (procmail based filtering) and I don't even know how many more at the IP level so it never makes it to my mail server. I have a right to protect my business from those who wish to steal resources from it without paying. But, believe me, I (as would most others) like nothing more than to be able to turn off all my filtering.

...

and then get the spammers to stop illegally using relays.

Relays aren't the only problem. The problem is that SPAM is an acceptable form of advertising in the eyes of the US Government (and others). Much of the spam we receive comes from hotmail, msn, ATT worldnet dialups, etc. It's not sent through a relay, but sent through the original dynamically assigned IP. Spam software gets smarter all the time. As it's been pointed out several times, including the last NANOG, there are no technical means available to eliminate SPAM, only reduce it.

...

Once the network and online providers obey the law, you can ask the spammers to obey the law, too.

That's a pretty interesting comment. How many spammers have you interviewed that support this theory? Dave -- Dave Siegel dave@rtd.net Network Engineer dave@pager.rtd.com (alpha pager) (520)579-0450 (home office) http://www.rtd.com/~dsiegel/

Dean Anderson

1:49 p.m.

The key point that many missed is that because the FBI is overloaded with complaints like this, legitimate DoS attacks go uninvestigated and unprosecuted. Normally, Eric (the original poster of the smurfing problem), would go to the FBI for help in tracking down and prosecuting the perpetrator. But some have noticed lately that they aren't getting much help in DoS cases. I'm just explaining why. Further, I hope it should be clear that spam non-combatants have to get involved to stop the chaos, and enforce federal laws on spammers and anti-spammers, or suffer further lack of police response on real crimes. We are the ones who are damaged, when real crimes against us aren't prosecuted and real crimminals aren't punished. Thats what spam has to do with smurfing.

...

...
all the involved parties. Since no one is getting physically injured and no money is being stolen, I think they are just waiting to see what

Who says no money is being stolen?

Every time a UCE is delivered to my server, someone out there has stolen resources from me. Resources *are* money.

They are resources you have sold to your customers. You can't snoop what your customers do with the resources. If you doubt this, read first my spampolicy, then buy "Firewalls and Internet Security", and "Unix System Security", read what they say, and then discuss the laws with your lawyer.

...

Everytime a network is smurfed, network resources have been stolen.

It's just like as if someone out there set up an auto-dialer to tie up a businesses fax machine, or busy up all their lines.

Intent is a key issue. If they are doing it to deny services, they are breaking the law. If you have a ton of users all trying to dial in, they are not breaking the law; you sold them accounts. People actually trying to sell products via email are not trying to deny services. They are not breaking the law, at least, not by existing. But the FBI is swamped with these sort of complaints. They aren't buying them. And they are overlooking legitimate complaints because of it.

...

Relays aren't the only problem. The problem is that SPAM is an acceptable form of advertising in the eyes of the US Government (and others).

Thats a political issue. Good luck, and have fun storming the castle. But when you take the step from advocacy to actions you are violating the law in almost every case. You can advocate anything, but you can't go tearing down buildings, or in this case, intercepting communications. Even if anti-spam laws are passed, you won't be able to monitor packets or users to detect violations of the law, any more than the phone company can listen in on your calls to make sure you aren't placing illegal bets. --Dean ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Jay R. Ashworth

2:39 p.m.

On Wed, Jan 21, 1998 at 01:49:45PM -0500, Dean Anderson wrote:

...

But when you take the step from advocacy to actions you are violating the law in almost every case. You can advocate anything, but you can't go tearing down buildings, or in this case, intercepting communications.

Even if anti-spam laws are passed, you won't be able to monitor packets or users to detect violations of the law, any more than the phone company can listen in on your calls to make sure you aren't placing illegal bets.

Ok, but some case I just saw mentioned somewhere drew a line between people looking at things, and programs processing them automatically, placing the former in the category of editorial control, but not the latter. Don't remember the context, think it was Usenet. Presumably, if that legal theory held, it could be applied to spaminators, as well. No? Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Two words: Darth Doogie." -- Jason Colby, Tampa Bay, Florida on alt.fan.heinlein +1 813 790 7592

^Faust^

3:09 p.m.

Jay R. Ashworth wrote:

...

Ok, but some case I just saw mentioned somewhere drew a line between people looking at things, and programs processing them automatically, placing the former in the category of editorial control, but not the latter. Don't remember the context, think it was Usenet. Presumably, if that legal theory held, it could be applied to spaminators, as well.

It was the data tap that the government did on the Argentinian cracker lastyear. Their program output data only when the keywords were present and even then it was only n characters before and after the keyword. -- "Gas, grass, or ass, nobody rides for free."

Jay R. Ashworth

3:13 p.m.

On Wed, Jan 21, 1998 at 12:09:06PM -0800, ^Faust^ wrote:

...

Jay R. Ashworth wrote:

...
Ok, but some case I just saw mentioned somewhere drew a line between people looking at things, and programs processing them automatically, placing the former in the category of editorial control, but not the latter. Don't remember the context, think it was Usenet. Presumably, if that legal theory held, it could be applied to spaminators, as well.

It was the data tap that the government did on the Argentinian cracker lastyear. Their program output data only when the keywords were present and even then it was only n characters before and after the keyword.

No, as Dean correctly pointed out to me just now, it was the Intellectual Property rights vs. web caching discussion right here, last week. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Two words: Darth Doogie." -- Jason Colby, Tampa Bay, Florida on alt.fan.heinlein +1 813 790 7592

NetSurfer

11:37 p.m.

On Wed, 21 Jan 1998, Jay R. Ashworth wrote:

...

On Wed, Jan 21, 1998 at 01:49:45PM -0500, Dean Anderson wrote:

...
But when you take the step from advocacy to actions you are violating the law in almost every case. You can advocate anything, but you can't go tearing down buildings, or in this case, intercepting communications.

If someone is stealing long distance services from AT&T are they prohibited from tracking/tracing/blocking the activity? Some spammers argue that their recipients buy flat-rate services and not bandwidth by the bit. Does that mean that someone stealing long distance can argue that it isn't really stealing because it doesn't cost AT&T for the services the thief steals? We are talking apples and apples here: electronic services/resources. Stealing is taking our using something without the owner (the person who paid for it) giving permission, even if the owner will later resell those services to a customer. If I buy a box of cornflakes to resell later, the fact that I will resell it doesn't mean you can take content out of the box before the customer receives it, esp when the customer will come back to me asking where the rest of the cornflakes are. Substitute bandwidth for cornflakes. If the spammer takes away bandwidth which would go to the customer, services have been stolen. With the use of frame relay clouds w/CIR's spam or smurf could definately impact on response time etc. - James D. Wilson netsurf@sersol.com

Phil Howard

3:59 p.m.

Dave Siegel writes...

...

Every time a UCE is delivered to my server, someone out there has stolen resources from me. Resources *are* money.

Everytime a network is smurfed, network resources have been stolen.

And just because you have not secured against it doesn't mean it is any less of a theft. Case law already exists that holds that a theft is still a theft even if the house was unlocked. The ordinary person would not assume it to be right to take something just because it happens to be easy to do so. Spam is probably more equivalent to shoplifting than it is to burglary; just as illegal.

...

Relays aren't the only problem. The problem is that SPAM is an acceptable form of advertising in the eyes of the US Government (and others). Much of the spam we receive comes from hotmail, msn, ATT worldnet dialups, etc. It's not sent through a relay, but sent through the original dynamically assigned IP. Spam software gets smarter all the time.

And all of it through the SMTP server for that dialup? Wow! It must be horrendously clogged up.

...

As it's been pointed out several times, including the last NANOG, there are no technical means available to eliminate SPAM, only reduce it.

A vision hit me of that little game with the heads popping up at random and the kid with the big plastic hammer pounding them back down. -- Phil Howard | eat2this@no35ads5.net crash741@no44ads3.com a7b1c7d3@no2where.org phil | eat14me3@anyplace.com stop3it4@anyplace.net stop9034@dumbads3.com at | stop3270@spammer1.com eat85me0@dumbads1.net ads1suck@dumbads4.edu milepost | eat97me0@noplace7.net stop9it7@dumbads3.org no95ads8@nowhere2.com dot | no4spam4@noplace4.edu w3x8y7z2@s2p5a6m6.edu stop8157@anyplace.edu com | stop4ads@no01ads9.com eat4this@no4where.org no32ads6@lame1ads.net

Dave Stoddard

5:38 p.m.

Dean Anderson <dean@av8.com> writes:

...

<snip> There are several laws being violated, but the FBI basically isn't getting involved in the spam wars. The first violators were the anti-spammers who put in the blocking. The second violators were the spammers who use relaying to get around that. Anti-spammers are illegally intercepting (blocking) electronic communications, and reading email, and the spammers are illegally exceeding their authorization to access computers. The anti-spammers are illegally preventing access to computers and networks engaged in interstate commerce. Anti-spammers illegally exceed their authority to cancel usenet messages.

Its bad enough that we have to put up with non-operational banter on the NANOG list, but having to deal with morons is particularly offensive. The court has already upheld the right of ISPs to block spam, and the right of ISPs to sue spammers on behalf of their subscribers. The following is an excerpt from a case on the ACLU's web site at http://www.aclu.org/issues/cyber/updates/nov13clu.html : "A District Court in Pennsylvania has ruled that AOL is not a state actor subject to the First Amendment, and therefore can block unsolicited commercial e-mail (spam). ... Judge Weiner found that there were no disputes over the facts of the case, and issued a summary judgment opinion. He held that AOL is not a state actor, and is not working in conjunction with the government. As a wholly private actor, AOL is not required to open its network to Cyberpromo, and is therefore within its rights to block e-mail from the Cyberpromo's domains." If you really think spam does not hurt anybody, try explaining to your 10 year old daughter why she keeps getting email for "hot pussy sites" in her mail box -- this is something that a child should never have to deal with. For this reason, US Net provides one of the largest anti-spam filter lists on the Internet, and we gladly help other ISPs in tightening their mail systems down so they can eliminate nearly all spam coming to their site. Our list is available via email auto responder at spamlist@us.net -- over 700 ISPs pull this list regularly to block spam. Filters can not stop all spam, but they can have a dramatic impact on the amount of spam that actually gets through to your site. While Paul's BGP feed is excellent for blocking spam, we can not use it because our customers demand being able to get to the "entire Internet". Instead, we use filters to block mail coming to dial-up customers, and we provide information and tools to help our network customers kill spam on their own mail servers. We are working hard to make the Internet a *much* smaller place for spammers ... Dave Stoddard US Net Incorporated 301-572-5926 dgs@us.net

Jay R. Ashworth

7:39 p.m.

On Wed, Jan 21, 1998 at 05:38:10PM -0500, Dave Stoddard wrote:

...

Its bad enough that we have to put up with non-operational banter on the NANOG list, but having to deal with morons is particularly offensive

I believe you'll find, Dave, that this directly violates this list's charter. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Two words: Darth Doogie." -- Jason Colby, Tampa Bay, Florida on alt.fan.heinlein +1 813 790 7592

Gary E. Miller

7:49 p.m.

Yo Jay! On Wed, 21 Jan 1998, Jay R. Ashworth wrote:

...

On Wed, Jan 21, 1998 at 05:38:10PM -0500, Dave Stoddard wrote:

...
Its bad enough that we have to put up with non-operational banter on the NANOG list, but having to deal with morons is particularly offensive

I believe you'll find, Dave, that this directly violates this list's charter.

I agree. Dealing with morons IS against the charter. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 2680 Bayshore Pkwy, #202 Mountain View, CA 94043-1009 gem@rellim.com Tel:+1(650)964-1186 Fax:+1(650)964-1176

Henry Linneweh

22 Jan 22 Jan

1:32 a.m.

To reiterate my original position from an end-user prospective. I do not want to purchase services from an ISP that disallows me freedom of choice to solicit those businesses that I want to deal with. I do not care for sex spams or market driven Microsoft email or basic solicitations that do not interest me personally or professionaly. "That protects my right of choice." I believe that ISP in conjunction with the NSP has the right to limit bandwidth in my interest as a consumer of services from forced market techniques, especially the ones that commit criminal activity in the process of spammung. If such businesses must exist then let it be on an e-commerce network that is private and does not invade mainstream networks and email systems. If they can not live with that, then outright refuse service like any private business has the right to do. Henry R. Linneweh Dave Stoddard wrote:

...

Dean Anderson <dean@av8.com> writes:

...
<snip> There are several laws being violated, but the FBI basically isn't getting involved in the spam wars. The first violators were the anti-spammers who put in the blocking. The second violators were the spammers who use relaying to get around that. Anti-spammers are illegally intercepting (blocking) electronic communications, and reading email, and the spammers are illegally exceeding their authorization to access computers. The anti-spammers are illegally preventing access to computers and networks engaged in interstate commerce. Anti-spammers illegally exceed their authority to cancel usenet messages.

Its bad enough that we have to put up with non-operational banter on the NANOG list, but having to deal with morons is particularly offensive. The court has already upheld the right of ISPs to block spam, and the right of ISPs to sue spammers on behalf of their subscribers.

The following is an excerpt from a case on the ACLU's web site at http://www.aclu.org/issues/cyber/updates/nov13clu.html :

"A District Court in Pennsylvania has ruled that AOL is not a state actor subject to the First Amendment, and therefore can block unsolicited commercial e-mail (spam). ... Judge Weiner found that there were no disputes over the facts of the case, and issued a summary judgment opinion. He held that AOL is not a state actor, and is not working in conjunction with the government. As a wholly private actor, AOL is not required to open its network to Cyberpromo, and is therefore within its rights to block e-mail from the Cyberpromo's domains."

If you really think spam does not hurt anybody, try explaining to your 10 year old daughter why she keeps getting email for "hot pussy sites" in her mail box -- this is something that a child should never have to deal with. For this reason, US Net provides one of the largest anti-spam filter lists on the Internet, and we gladly help other ISPs in tightening their mail systems down so they can eliminate nearly all spam coming to their site. Our list is available via email auto responder at spamlist@us.net -- over 700 ISPs pull this list regularly to block spam. Filters can not stop all spam, but they can have a dramatic impact on the amount of spam that actually gets through to your site.

While Paul's BGP feed is excellent for blocking spam, we can not use it because our customers demand being able to get to the "entire Internet". Instead, we use filters to block mail coming to dial-up customers, and we provide information and tools to help our network customers kill spam on their own mail servers. We are working hard to make the Internet a *much* smaller place for spammers ...

Dave Stoddard US Net Incorporated 301-572-5926 dgs@us.net

-- ¢4i1å

Steve Sobol

7:42 p.m.

On Tue, Jan 20, 1998 at 07:03:42PM -0500, Dean Anderson wrote:

...

I'm working on a spam policy which may be viewed at http://www.av8.com/spampolicy.html It includes all the laws that are being broken by all the parties. It's still a draft, but the main points are there.

...
I want to do my part to try to stop attacks, but I'm baffled on this one.

Here's what you can do:

Get people to stop illegally blocking spam, and then get the spammers to stop illegally using relays.

Sysadmins have a right to make sure their systems are not compromised, and to protect the integrity of their service for their users. Period. Sorry, Dean -- and I don't want to get into a big argument here, because nanog is not the place for it -- but spam does affect the throughput of the typical ISP and it does crash servers (it did to ours).

...

At some point, perhaps we can take a list of violators to the FBI and ask them to restore order and enforce the laws on spammer and anti-spammer violators.

ISP's are private companies and the servers are their property. If the ISP makes known when the user signs up that spam is being blocked, and the user acknowledges that and signs up anyway, I can't see how anyone's rights are being violated. -- Steve Sobol - sjsobol@nacs.net NACS FAQ: http://www.nacs.net/support/faq Maintainer of the NACS.NET Tech Support Site at http://www.nacs.net/support DNS guy, Postmaster, "Web Dude", and AUP Person/Spaminator (T.I.N.C.) 128K ISDN. Flat rate. $37.50 per month. You know you want it, so why don't you call me? 216 619-2000, 1-888-273-NACS. "Operators are standing by!" :)

Craig A. Huegen

21 Jan 21 Jan

12:29 a.m.

On Tue, 20 Jan 1998, Eric Wieling wrote: ==>Is there any point in trying to report these attacks? Who would we ==>report them to? We don't know what the source is, after all the ==>address is spoofed. It seems kind of pointless to notify the victim ==>-- they already know they have been smurfed. Most providers are relatively helpful if they're attacks. They will generally work to help resolve it, or at least will place filters in place to help you out. It's quite unfortunate that I had to find a tier 1 not willing to help with the smurf situation at all lately. An ISP that I do consulting for was being attacked via their connection to this provider. When their provider was called, they said they couldn't trace anything unless the FBI was involved, and that they couldn't put a filter in place. So, basically this ISP's connection to the provider was disabled. After the owner of this ISP argued with this provider's NOC for 12 hours, this provider sent mail back, claiming it wasn't a smurf because they looked at the traffic on the circuit. If anyone should recognize a smurf, I think I would. I told this provider it *was* a smurf, and that if they weren't predisposed with trying to do absolutely nothing about it, they would have seen it. After I told them about my smurf paper, http://www.quadrunner.com/~chuegen/smurf.txt they were quick to tell me (against their supposed "policy") that they are indeed willing to filter for a customer, and that they will trace attacks if necessary. This is interesting, because I sat on a conference call with representatives from this provider along with others, the FBI, and CERT on how we can have better cooperation between providers and track these guys. This provider claimed their NOC was willing to deal with this. It was a very disappointing e-mail thread. As a plea to all you providers out there: the 'smurf' attack hurts the smaller providers. It hurts their business. Please vow to use tools like DoStracker and anything else you may be able to in order to trace this down. Get your NOC operations folks involved--pass out the smurf paper to educate customers and tell them what you can and can not do. /cah

9849

Age (days ago)

9852

Last active (days ago)

List overview

Download

18 comments

16 participants

participants (16)

^Faust^
Adrian Bool
Craig A. Huegen
Dave Siegel
Dave Stoddard
Dean Anderson
Eric Wieling
Gary E. Miller
Henry Linneweh
Jay R. Ashworth
Jordyn A. Buchanan
M. David Leonard
Martin Hannigan
NetSurfer
Phil Howard
Steve Sobol