On Mon, 8 Jul 1996, Daniel W. McRobb wrote:
The problem is not really a technical one. It's administrative. It's much more of a headache to backtrack through 30 routers that aren't in your own network than to backtrack to the ingress to your own network domain and filter it out there (which is the typical response to this kind of thing). Getting everyone in the path to cooperate with backtracking is difficult in many instances, impossible in others.
I recall that people have cooperated in the past on some sort of performance analysis tool that transported packets through a tunnel to some remote point and initiated an analysis of some sort from that point I believe this was done by NLANR and had something to do with vBNS.
I don't think this is all that different. If some means existed for an NSP to initiate a trace on a specific source address to backtrack it to the real source then an easy to use tool could be built. Of course, first of all router vendors need to make a quick and relatively painless way to track down the interface that a packet comes in from, maybe
There will likely never be a means for a single NSP to track down the real source of spoofed packets using IPv4. Service providers won't be letting other service providers track spoofed packets through their network.
set icmp-source-trace 148.32.45.67 on
and later....
show icmp-source-trace
IP address Interface ---------- --------- 148.32.45.67 NO TRACE
Note that the source trace was active for a period of time and then expired automatically with no new ICMP packets bearing the specified source address in that period of time. If this facility is available an easy to use tool could be built.
In the case of a spoofed-source, denial of service attack, the source address is often of less use than the destination address/port/protocol in tracking down the real source. The attacker just switches the source address and walks right through your trace (or filters). Don't get me wrong; I think packet sniffing capabilities (even in their simplest forms) can be very useful and I wish there were more facilities in typical routers for tracking traffic via IP header information.
that doesn't even take into account the cases where an attacker has multiple paths into your network and is using multiple forged source addresses, much less the fact that the attacker can turn off the attack when he/she chooses, thwarting your effort to track them.
No doubt about it. Being a detective is hard boring plodding work and sometimes you just never find the crook. But it's still worth trying.
Define worth. I live in a capitalist society where catching a criminal is of little worth (particularly an ICMP bomber who's arguably not much worse than a USENET spammer) in it's own right and often only worthwhile if there's monetary compensation involved (either from a legal settlement, reward or just recovery of service and time spent fixing things that are broken by an attacker). :-) Daniel ~~~~~~
On Tue, 9 Jul 1996, Daniel W. McRobb wrote:
There will likely never be a means for a single NSP to track down the real source of spoofed packets using IPv4. Service providers won't be letting other service providers track spoofed packets through their network.
Why not? Don't telcos do this? Or if your answer is that telcos only do it for the police and not for each other, then my question would be why can't we form an Internet equivalent, maybe affiliated with something like CERT, that can make these requests and with whom NSP's would cooperate. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com
Michael Dillon writes:
On Tue, 9 Jul 1996, Daniel W. McRobb wrote:
There will likely never be a means for a single NSP to track down the real source of spoofed packets using IPv4. Service providers won't be letting other service providers track spoofed packets through their network.
Why not? Don't telcos do this? Or if your answer is that telcos only do it for the police and not for each other, then my question would be why can't we form an Internet equivalent, maybe affiliated with something like CERT, that can make these requests and with whom NSP's would cooperate.
What sort of incentive or penalty do you think would enable this cooperation? Nevin -- -Nevin Williams ANS Network Operations
On Tue, 9 Jul 1996, Nevin Williams wrote:
Why not? Don't telcos do this? Or if your answer is that telcos only do it for the police and not for each other, then my question would be why can't we form an Internet equivalent, maybe affiliated with something like CERT, that can make these requests and with whom NSP's would cooperate.
What sort of incentive or penalty do you think would enable this cooperation?
Screwed up networks give the whole industry a bad name. It is in everyones economic best interests to make the network operate fast and reliably. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com
Michael, IMHO, there are two seperate issues here. - better tools would be nice. Although I think tracking packets would be too CPU intensive for today's routers I do think having such a feature would be a good thing. The RAM/ROM to hold the extra microcode is cheap, and if it can be turned off/on at will I see no harm in having it. When someone will have time to add the code is a seperate issue. - why can't my [NSP | TelCo | GME (Godlike Monolithic Entity)] provide me with data on who is spamming my net. I think that is a seperate issue. The TELCOs have an advantage here in that it is MUCH harder to fake caller ID than to fake ICMP headers. I would be willing to bet that if someone who really knew their way around the SS7 network decided to make your life difficult Ma Bell would have a hell of a hard time tracking them down. Most of the TELCO switchmen I have dealt with could not trace a phone call with any reliability. At this point it requires a fair amounf of time, from a fair amount of talented people to track this stuff down. In all the cases I dealt with, people from many service providers were very cooperative if the denial of service attack was in progress. After the fact people seemed to expend effort to the extent they felt they could help. Which for most people is 0 (after the fact it is pretty hard to say who denied what to whom with any certainy) This is the way it is, but not the way it must always be. Feel free to talk to the router vendor of choice and explain to them that this functionality is important to you. In the mean time, I hope you will excuse me while I go off and cope with my own problems. I honestly wish you the best of luck in your endeavors, G'night Larry Plato
On Tue, 9 Jul 1996, Nevin Williams wrote:
Why not? Don't telcos do this? Or if your answer is that telcos only do it for the police and not for each other, then my question would be why can't we form an Internet equivalent, maybe affiliated with something like CERT, that can make these requests and with whom NSP's would cooperate.
What sort of incentive or penalty do you think would enable this cooperation?
Screwed up networks give the whole industry a bad name. It is in everyones economic best interests to make the network operate fast and reliably.
Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com
participants (4)
-
Daniel W. McRobb
-
Larry J. Plato
-
Michael Dillon
-
Nevin Williams