A modest proposal

Mailman List Mirror (Read Only)
1

Currently, anyone can program their computer to repeatedly dial a
given business phone line and fill up a company's inbound phone lines,
making a denial of service attack. Why isn't the phone system about
to die because of it?

The phone company keeps a record of every incoming and outgoing call
on every line, and performs all sorts of analysis on time of day and
carrier, and who gets paid for it. I think that 50% of the cost of
providing phone service is the accounting and billing. However, anytime
one has a problem with obscene callers, war dialers, etc, you call
the police and bingo, the men in blue are knocking on the door of the
perpetrator. The caller could dial from a payphone, etc, but what
you've essentially done is make it more dangerous/expensive to conduct
this activity than what it is worth. People that do this sort of
activity are usually cowards, because they're not bold enough to
park a truck bomb outside the object of their hatred. Up the ante,
and they're out of the game.

I've been following some of the activity on various IP accounting
schemes and the size of those nifty matrices, but frankly, ISPs need
to spend the money to make this a reality and keep accounting data
for at least several days or a week.

Now I'm a systems guy rather than a router guy,
so I'm not going to even propose that this take place in the router
or somebody will be lecturing me about silicon switched route
processors or something similar. I used to do it with ip accounting
on a cisco and perl scripts to yank the information off. This is
still a reasonable approach for small sites. It seems to me that a
good workstation setup for accounting on the segments attached to the
interexchange points could do all of this adequately. You'd need a
good freeware software package and preferably a web interface that
could be accessed by the right people at the right time. The web
interface would take 10 times as long to write as the collection
software. Once a few of the large carriers make this a prequisite for
peering, it would be widespread.

Tracking down hacked machines would be quicker. Sometimes you might
be able to track back to the source where you could pull the ANI
or callerid information out of the radius accounting logs and have
someone knocking on their door. You only have to do this for 1 in 10
attacks before rumors spread around the hacker community and it stops.

allan
allan@bellsouth.net
And no, I'm not volunteering for anything yet :slight_smile:

2

Tracking down hacked machines would be quicker. Sometimes you might
   be able to track back to the source where you could pull the ANI
   or callerid information out of the radius accounting logs and have
   someone knocking on their door. You only have to do this for 1 in 10
   attacks before rumors spread around the hacker community and it stops.

This discussion of securing dialup servers is pointless. I guarantee
you that the 2000 packet/second SYN attacks we've been seeing are
coming from a compromised host on a high speed connection and not from
someone's 28.8k dialup connection. The hackers just take over a
machine, use it to launch their attacks, and disappear into the jungle
if we manage to find the particular machine they're using tonight.

Harden your servers, filter on all non-transit ports on your routers,
but let's let the how-to-do-filtering-on-terminal-servers discussion
die, OK?

                                        ---Rob

3

Robert E. Seastrom wrote:

   From: Allan Chong <allan@bellsouth.net>

   Tracking down hacked machines would be quicker. Sometimes you might
   be able to track back to the source where you could pull the ANI
   or callerid information out of the radius accounting logs and have
   someone knocking on their door. You only have to do this for 1 in 10
   attacks before rumors spread around the hacker community and it stops.

This discussion of securing dialup servers is pointless. I guarantee
you that the 2000 packet/second SYN attacks we've been seeing are
coming from a compromised host on a high speed connection and not from
someone's 28.8k dialup connection. The hackers just take over a
machine, use it to launch their attacks, and disappear into the jungle
if we manage to find the particular machine they're using tonight.

Yes, I realize no one is launching directly from dialup, but often,
the user is someone originally dialed up and telneted to some box
(or through multiple boxes).
Tracking the attack back to the compromised machine quickly is worth it
in my opinion. Pervasive accounting would at least allow one to
systematically track back step by step to the origination. Even then
it might be a university cluster (MIT used to give out the root
passwords to workstations since everything was kerberized), but
the cognoscenti at the university can often take care of the problem
given the motivation. Right now the problem seems to be that the
attack is totally anonymous and the methodology for tracking back to
the source is involved.

Hmmmm. If I were a hacker, I would be doing my best to make sure that
my route to the victim was taking a path through as many foreign
speaking networks as possible. You'd have to speak Swahili and
Cantonese :slight_smile:

allan

4

Yes, I realize no one is launching directly from dialup, but often,
   the user is someone originally dialed up and telneted to some box
   (or through multiple boxes).
   Tracking the attack back to the compromised machine quickly is worth it
   in my opinion. Pervasive accounting would at least allow one to
   systematically track back step by step to the origination.

No, pervasive accounting would only allow you to strengthen your
position once you arrived at a conclusion. It does not in any way
offer help in arriving at that conclusion.

   Even then
   it might be a university cluster (MIT used to give out the root
   passwords to workstations since everything was kerberized), but
   the cognoscenti at the university can often take care of the problem
   given the motivation. Right now the problem seems to be that the
   attack is totally anonymous and the methodology for tracking back to
   the source is involved.

Not likely to be a university cluster in my experience... some local
pranks may be launched from university clusters. Dorm rooms and
personal boxes, OTOH, seem to be a favorite for the past couple of
years; expect that one to get worse. But yes, the problem is finding
out who the perp is, not proving who the actual offender was once
you've narrowed yourself down to half a dozen possibilities and
enlisted the cooperation of their local sysadmin.

In any event, once again I exhort everyone to not waste their time
filtering the dialups. Filter your customers, filter your own
networks; if you incidentally get most of your dialup servers covered
by that umbrella, fine. If not, don't lose too much sleep over it --
if you don't believe me, just config up a linux box with the code of
your choice, and try to SYNflood someone over a dialup.

   Hmmmm. If I were a hacker, I would be doing my best to make sure that
   my route to the victim was taking a path through as many foreign
   speaking networks as possible. You'd have to speak Swahili and
   Cantonese :slight_smile:

Not worth the trouble. The far ends of the earth where not even the
network admins speak English are on the ends of wet strings; it isn't
worth the aggreivation to telnet through them, and launching a
source-routed synflood through them would be self-defeating.

                                        ---Rob

5

If it only takes 8 SYN packets to lock up a socket for 75 seconds then
effective SYN flood attacks certainly *CAN* be launched from a dialup
connection. And if the definition of an effective attack allows for
intermittently shutting down a socket then effective attacks certainly
*CAN be launched from places like Uruguay, Brazil, Indonesia and so forth.

Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael@memra.com

6

If it only takes 8 SYN packets to lock up a socket for 75 seconds then
   effective SYN flood attacks certainly *CAN* be launched from a dialup
   connection. And if the definition of an effective attack allows for
   intermittently shutting down a socket then effective attacks certainly
   *CAN be launched from places like Uruguay, Brazil, Indonesia and so forth.

The kids don't have this much finesse; witness the 2000 packet/sec
attacks recently seen. Look for trouble where there isn't any (yet)
after getting the current problem dealt with, eh?

                                        ---Rob