Some of you may find http://grc.com/dos/grcdos.htm
very interesting.
Sean.
This presses the issue of spoof filtering even harder.
Question is, how do we solve all this. One measure could be something I
have tried to press since 1996 or so, but I do not know how to implement
it and nobody else seems to be interested in it:
Unique identification of users.
Let's say we can set some kind of nameserver record in the in-addr.arpa
zone pointing to some kind of standardised ident server (or
ident-equivalent) for a certain IP. This way ISPs could build systems that
can provide some kind of unique identifier that could be used for logging
accesses from an IP. In retrospect this identifier could be used when
reporting issues to an ISP to speed up their work of identifying the
physical connection the access was initiated from. Same thing could be
used by a NAT or PAT device to provide some kind of tracking as to what
internal (hidden) IP was actually doing the access thru the NAT/PAT
device.
ISPs could then presumably make some kind of system so you could email a
certain adress with the unique identifier in the subject or TO: line and
this email would be forwarded to the user in question (or to the admin of
the site if it's a corporate site). Yes, spam would have to be dealt with,
but I'm sure it's doable.
This in combination with spoof filtering should make all our work a little
easier, right? Any takers?
Before I proposed that terminal servers could intercept the standard 113
identd requests sent to a certain IP and answer them itself (since the
device presumably has login information about users on its ports) but I
got no response to that either, a couple of years back.
Although this is a nice idea, it will fail. The reason is very simple. If
you(1) can track me when I hack your machine, you(2) can also track me
when I look at your network banners. Users will flock to the ISP that
won't let you(3).
Cheers,
Pi
(1) The network operator
(2) The doubleclick.net cockroach
(3) Either, since nobody can tell in advance whether you're (1) or (2).
Let's change the unique identifier once a week then. As long as the ISP
can use it to identify you, it doesn't have to be the same for eternity.
What I'm trying to accomplish here is the same thing as the ISP do by
getting the IP and the time, and then looking thru their logs to see who
was on.
I already know several ISPs that mark port-switch-router.town.ispname.tld,
for this same reason. Are you saying this is a better approach when it
comes to privacy?
I'm trying to solve the accountability issue without compromising privacy.
There has got to be SOME way to figure this out, right? I am not the best
man to do it, but I figure that the best people on the planet to do this
should be on this list, or at least people on this list know the best
people.
The rest of NANOG may, as we do, wonder why Mr. Gibson, after almost naming
us in that page (he didn't name _us_ directly, but left enough not-so-subtle
hints that both us and our users noticed us being mentioned), chose to brush
off our offers to help, claiming instead that he just wanted to move on and
forget about the whole thing. (I ought to mention that it took at least a
week to get a reply from Mr. Gibson)
We ended up concluding that Mr. Gibson's main goal is the distribution of
large quantities of FUD. It seems, I might add, that Mr. Gibson is
particularly successful at this remarkably valuable art.
Vivien
That might be so. I got this link approx 8 hours before I saw it on
NANOG-l when I was investigating just this kind of thing he's talking
about. I got in thru the irc-admin perspective though, saw a couple of
clients that seemed to have things in common, sniffed some traffic, found
a channel on IRCnet that was dedicated to whatever purpose these 100 or so
clients/machines were up to. Talked to the "grand master" who approached
me when I and a fellow IRC admin started throwing off his "bots" (he
actually called them bots and then changed his mind that they were
clients).
This is a real problem. It's not FUD. Microsofts choice to include full
IP stack capabilities will make the problem worse, but I do not blame
their IP stack for this like Mr Gibson does though.
So what do we do about it? There are 10th of thousands of "0wned" machines
out there. 10.000 machines sending one SYN per second to somewhere
constitutes a 6mbit SYN flood that'll make almost any web server get into
trouble. 10 SYNs per second and we're really talking traffic here. From
spoofed sources because ISPs do not source address filter? Gah. Basically
untraceable.
I know a few people have been put in jail for these kind of activies. I'd
say it's not enough though. We might blame parents, society, whatever, but
the question remains: What do we do about it?
I saw figures that there are over 9 million homes in the US with
"broadband internet access". This is going to 10fold in the next few
years, worldwide we might have a couple of 100 million computers
"always-on" in a few years. 95% (or more) of them running Microsoft OS, by
people who have no idea how to secure it etc.
What should we do?
Personally, I found this pretty amusing:
"As you can see from the schematic diagram above, the Verio (our ISP)
router that supplies our T1 trunks enjoys two massive 100 megabit
connections to the Internet. But from there all of the traffic bound
for us must be funnelled through our two T1 trunks."
But it's not as good as:
"were all originated from the same small IP address rane
corresponding to the small ISP Genuity, BBN Planet, in Kenosha,
Wisconsin - an Earthlink reseller."
Clearly, someone has been missing out on the black rocket.
--msa
This is a real problem. It's not FUD. Microsofts choice to include full
IP stack capabilities will make the problem worse, but I do not blame
their IP stack for this like Mr Gibson does though.
Oh, it's most certainly a real problem, but I don't agree that the changes
in Win XP will really make any difference whatsoever. With some very
trivial driver additions, raw sockets can be accessed under any previous
version of Windows, just like in XP. That's where the FUD comes in -
Gibson, it seems, is just trying to drum up support for whatever his next
big project is to magically make your computer safe.
What should we do?
Well, like has already been mentioned, somehow getting people to filter
properly could help - we got hit by a (unrelated, we think) spoofed SYN
flood a few days back. If that ISP had simply egress filtered their
traffic, that person using a single machine (only guessing here) couldn't
have sent their 200k/sec of spoofed SYN at us. I'm sure they could have
found another way, but it would have made them work a little harder, and
this type of person often doesn't want to bother with that extra little
bit of work, and would just give up.
Tim
I admit I only made it through half of this guy's page. And barring some of
the reactionary speech, I was able to pull some technical content.
My question, is this news to anyone?
The capabilities of machines will continue to improve, the capabilities of
networks will continue to improve [Moore's Law]. (Per my own rule of
internet problem solving..) IFF the problem becomes a crisis, massive action
will take place (similar to the spam problems in '97) to bring the abuse to
a manageable level. This might be egress filtering at aggregation routers. I
know most large networks use automated configuration management for their
gear, and setting ingress filters from their PPPoE, PPPoA, and dial-up pools
that only accept addresses from the likely pool of DHCP addresses wouldn't
be too hard and probably a huge first step.
I think most attacks (currently) are manageable either in their frequency or
their ability to be filtered. IRC servers are an exception, and why many
providers will not waste resources hosting small IRC servers.
If the problem becomes severe, end-user address filtering will be the
biggest single difference. One can draw examples from dialup providers (like
MSN) filtering all attempts to connect to port 25 outbound from their dialup
pool(s). And the corresponding drop in abuse, not just from them, but as a
percentage of the whole.
Spamming/attacking will then be left to the world of corporate internet
connections and university dorms the way god intended. 
Deepak Jain
It's nice story, but nothing new except XT/2000 options allowing to generate SRC
address.
But when (at last) it happen:
- use WFQ over all custiomer's links (if you have WFQ no such brute attack
succeed, it only slow you down but does not block you);
- Cisco force all IP fragments to be queued into the single WFQ query and allow
filtering of the FRAGMENTS
- any big ISP have skilled security person available. When I worked in Russia, it
took 10 - 15 minutes to contact your ISP and install such filters; for EUnet, it
took 20 minutes; for TELIA, it was the same. For any amertican ISP, it took a week
(UUnet was an exception)...
- all cable providers will have src address filters, so preventing src address
frauding.
It was discussed 5 years ago; it was discussed 2 years ago; it's discussed today.
When something change?
Alexei Roudnev
... but I do not blame their IP stack for this like Mr Gibson does though.
Same here.
... From spoofed sources because ISPs do not source address filter?
Gah. Basically untraceable.
This is the problem.
What should we do?
Recommendation: upgrade your peering requirements to include language like:
Each peer agrees to emit only IP packets with accurate
source addresses, to require their customers to do likewise,
and to extend this requirement to all other peers by $DATE.
Where DATE = (now() + '6 months') or some other negotiated value.
I've been saying this since 1993. Is anybody ready to believe me yet? We
solve this, or our industry stops growing because we're spending too much
time dealing with this problem and new customers see diminished returns.
Indeed, there have been LAN analyzers which run on all variants of Windows for a very long time. These can generate / play back traffic, using whatever source IP addresses and MAC addresses were on the original packets. Obviously, a general spoofing tool for Win95 could be written. After reading that part of the tirade, I came to the same conclusion as a previous poster... lots of FUD, and not much more.
It's been 5 years since the document now published as RFC 2827 was first a draft. Many sites do ingress or egress filtering. Many don't. Most router equipment can now handle it, according to the manufacturers. Yes, there are issues dealing with multi-homing. However, it appears many attacks still originate from single homed sites, dialup sites, cable modem attached systems, and the like. In most cases, these could be filtered. Has anyone at any of the cable modem vendors made any attempts to try ingress filtering in the cable system head-end routers? Did it work? Need help trying it out? While Ingress filtering will not cure the world, it can help de-fang many attacks. Unfortunately, it requires cooperation to be effective.
[ On Saturday, June 23, 2001 at 20:04:06 (+0200), Mikael Abrahamsson wrote: ]
Subject: RE: DDOS anecdotes
This is a real problem. It's not FUD. Microsofts choice to include full
IP stack capabilities will make the problem worse, but I do not blame
their IP stack for this like Mr Gibson does though.
No, their stack's not the root of the problem -- all the rest of their
OS is (and of course in particular the security model, or lack thereof).
[ On Saturday, June 23, 2001 at 15:13:34 (-0400), Daniel Senie wrote: ]
Subject: RE: DDOS anecdotes
.... Has anyone
at any of the cable modem vendors made any attempts to try ingress
filtering in the cable system head-end routers?
If I'm not mistaken Rogers@Home is blocking spoofed source addresses on
at least part of their network here in Toronto. At least the last time
my home network's routing and NAT configuration broke down I noted that
asymmetrical routing over my cable modem didn't work any more (where it
used to work in the past).
My particular cable modem is a Terayon TeraJet. I believe Rogers have
implemented their filtering in the head-end gear, but maybe not directly
in the Terayon gateway box (and definitely not in the Teralinks). The
gateway box can do some filtering IIRC, but is't not really much of a
powerhouse for such "add-on" functionality. I'd guess that they've
actually implemented the filters in whatever routers they use to join
their network segments.
One of the smaller cable ISPs I work with hasn't yet implemented
anti-spoof filtering, though it's definitely on the todo list. They've
not had any known problem with DDoS that I know of though (just "owned"
boxes initiating the odd scan). Of course they've still got a very
small (but growing) customer base.
Did it work?
I don't know if it's helped Rogers@Home prevent/reduce DDoS from their
network or not, but it certainly pointed out my configuration problem
quickly! 
Daniel
Obviously, a general spoofing tool for Win95 could be written.
After reading that part of the tirade, I came to the same conclusion as a
previous poster... lots of FUD, and not much more.<<
I'm having a hard time understanding this. Wouldn't it be easier/simpler for
these crackers to just install their bots on, oh say, 20 million machines running
XP than the crackers having to deal with installing the bot -and- the code to do
the spoofing on Win95/98/98SE/98ME?
Michael Painter
I'm having a hard time understanding this. Wouldn't it be easier/simpler for
these crackers to just install their bots on, oh say, 20 million machines
running XP than the crackers having to deal with installing the bot -and-
the code to do the spoofing on Win95/98/98SE/98ME?
Doesn't matter. Either way it's an automated script-kiddie tool. No way
either approach works if it requires manual keystrokes by the attacker.
I'm having a hard time understanding this. Wouldn't it be easier/simpler
for
these crackers to just install their bots on, oh say, 20 million machines
running
XP than the crackers having to deal with installing the bot -and- the code
to do
the spoofing on Win95/98/98SE/98ME?
As I understand it, the spoofing code is already available as a drop-in
DLL - ZPacket.
For an example of a low-level packet sniffer written in Delphi (using that
library) and a link to the source of the library itself, see:
http://users.swing.be/francois.piette/ingussniffer.htm
* David Howe sez:
: As I understand it, the spoofing code is already available as a
: drop-in DLL - ZPacket.
winpcap has no problems installing itself, hiding itself and functioning
properly without needing a reboot or keystrokes. Whoever is clueful
enough to write a small trojan (and you don't need much clue for that),
will know how to have that trojan fetch winpcap from the 'net and how to
install it. If the dropin refuses to work without a reboot, the trojan
could simulate a crash and force the luser to reboot - Windozies don't
get suspicious if their machine hangs every once in a while.
Gibson knows that - a lot of people told him. He just refuses to
understand. He's simply a case of dangerously inflated ego combined with
lack of basic clue and way too good in bullshitting his way around.
I think the idea is to either use a buffer overflow or somesuch (yes,
they exist on Windows) to either get the machine to run a
.vbs/ActiveX/wsh
at the time of penetration, or plant something that will get run when
the user does certain things or the machine's rebooted. There are
several tools
which can do spoofing on NT/2000 using the Win32 version of libpcap, and
there
are tools for Win9x into which the coders wrote their own functions.
A five-minute search on google.com will reveal them.
The bottom line is that Gibson's an hysteric crank who doesn't know what
he's
talking about. Yes, providers and customers need to secure their
boxes/do egress
filtering/implement CAR and/or WFQ and/or SPD and/or TurboACLs wherever
possible; yes, users need to know how to get hold of their providers'
NOCs/support staff -ahead of time-; yes, they need to look at Cisco
7600-type
and/or 6500/MSFC2/Sup2s to process ACLs wherever possible; no, none of
this is new.
He hadn't secured his routers in the least, and betrays a stunning
ignorance
of how the Internet in general and IP specifically works. Then he
gets on his soapbox about it and proclaims that he, and only he, knows
how to save the Internet.
There're plenty of things to bash Microsoft over, both generally and in
regards to XP in general - but the fact that they implemented a standard
socket interface in XP isn't one of them.
Do realize that in the last year or so, Gibson claimed to've invented
'stealth'
scanning a la nmap. He also published some crazy method for supposedly
optimizing ZIP drives which has the effect of destroying your ZIP
cartridges. I personally think he's unhinged, and a huckster to boot.
His latest folly is to automagically post logs of what he says are the
IPs of machines launching DoS attacks against his site, and urge users
to contact Bill Gates and blame Microsoft for it. Needless to say,
most of the machines on the list seem to supposedly be routers or
switches
of one stripe or another, and/or *NIX boxes. My guess is that the vast
majority of those IPs are spoofed. He also urges service providers to
take action against the supposed offenders.
Although I hate Microsoft with a passion, I hope that they sue him for
slander - I'd love to see these two FUD-spreaders go after one another.
Hell, I'd be willing to serve for free as an 'expert witness' for the
purpose
of taking him apart in court.
Gibson's an idiot. Ignore him.
Paul Vixie wrote:
* Roland Dobbins sez:
: He hadn't secured his routers in the least, and betrays a stunning
: ignorance of how the Internet in general and IP specifically works.
Anoyne remember his 'nanoprobe' project and his claims to be able to
speed up transmission of packets by 90-400 percent through some obscure
Fast-ACK tricks? Gibson is unique in the way that he reads about
something, tossess it around until he understands it (while losing its
original meaning), adds some fake pseudo-technical babble around it and
then sells it. It's not so much Gibson who frightens me, it's the folks
who VC him and those who buy his bullshit.
: Then he gets on his soapbox about it and proclaims that he, and only
: he, knows how to save the Internet.
Inflated ego. Up around when his first rant started, he was approached
by some people on techsec-l which he reads and every once in a while
bores with his rants. Some pointed out obvious misconceptions, other
offered help. Only a moron the size of Gibson would proclaim his
superiority in every reply while dutifully ignoring the points about his
mistakes in the original mail.
: Do realize that in the last year or so, Gibson claimed to've invented
: 'stealth' scanning a la nmap. He also published some crazy method for
His newest claim is to be the inventor of a "new" port scanning method
which speeds up scans of the whole port range in miliseconds. He goes as
far as to claim: "I feel that I should tell you . . . that I have
recently figured out how to scan all of a user's 65,535 TCP/IP ports
almost instantaneously!" - this man must be a god. Or at least think
he's one.
: your ZIP cartridges. I personally think he's unhinged, and a huckster
: to boot.
There's far too many of these creatures out there. The problem is - the
media and you CIO love them.
: most of the machines on the list seem to supposedly be routers or
: switches of one stripe or another, and/or *NIX boxes. My guess is
: that the vast majority of those IPs are spoofed. He also urges
: service providers to take action against the supposed offenders.
... and recommends ZoneAlarm as a solution to the problem.