Kent, I liked the rest of your message more than the first sentence. I agree that this will be hard to accomplish. The key point, one that I hope everyone on the NANOG and IEPG lists take to heart, is your 200- year-old phrase that we will surely "hang together or hang separately". The Panix attack undercuts every enterprise that attempts to promise to users that they will be able to use the Internet to get their work done. I hope that users, providers, and vendors will cooperate on moving forward on all three of: - source address filtering near the edges of the network - improved TCP software in the hosts - improved technology and operational routines for tracing attacks. If one of these three thrusts is inconvenient to your part of the Internet, don't take much comfort in assuming that the problem will be solved by everyone making dramatic progress on the other two. -- Guy At 01:42 PM 9/17/96 -0700, Kent W. England wrote:
At 11:02 AM 9/17/96 -0400, Guy T Almes wrote:
Nathan, I'm afraid that Kent is right about this one.
I wish that it were not so, but after reading the clever and insightful approaches to tracking down the denial-of-service perps, I am pessimistic about our ability to stay ahead in the escalation of this counter-counter- measure warfare. I think that if we were able to trace the Panix attacker that a future attacker would hit simultaneously from a half-dozen free dial-up connections with a real random number generator and synthetic SYNs to fool the router stat collector (or whatever it takes). I think we are on the short end of the technology stick here.
If the fit hits the shan and the attacks begin to escalate, we need to be ready to cooperate on source address filtering at the periphery. It's one of those cases of hang together or hang separately. Should we wait, like the cell phone industry did with the cloning fiasco, until this gives us a black eye? It's just too inviting to expect that we don't have plenty of folks out there ready to pull this trigger on us.
We need a general consensus in order for any one of us to justify the effort required to install source address filters. That means that representatives from major backbone ISPs must announce that they will install filters (not at the MAEs) in response to this new threat and that they expect that their peers will too. I'm not one of those major backbone ISP network engineers, but I would hope that for the sake of all of us, that those who are will roll their eyes heavenward, take a deep breath, and do what needs to be done. I know it's easy for me to say, but nevertheless ...
This is an excellent example of what the NANOG and IEPG are really good for.
--Kent
On a less technical note: I think it is somewhat important to point out that one long term solution to these problems is for commercial orgs to fund, either together or alone, R&D efforts that support the reliability and robustness of their operations. Many, in the words of Roger Waters, are 'riding the gravey train' by exploiting the Internet for profit without contributing back into the community. In short, however harsh it sounds, denial-of-service-attacks are old-tech, low-tech, ways to exploit TCP/IP weaknesses that have been around for a long time. How about commercial organizations (such as NANOG, CIX) expanding their charter to basic R&D into reinforcing security weaknesses within their mutual are of commerical interest? Or, as it seems, do commercial organizations just cry out for help and wait for another handout? Sorry for the 'antisocial, un-bonding, non-obsequious, slash of cold water in the face of this thread', but another RFC, BCP, XYZ is not the answer. This is not the pre-commerical internet days, and it is past-due for commerical providers of Internet services and products to regenerate some of their profits into R&D, don't you think? Tim
participants (2)
-
Guy T Almes
-
Tim Bass