Government scrutiny is headed our way

Karl,

*You* may wish to make your life more convenient by bringing
government force into your relationship with other network
providers, why by what divine right do you get to impose your
convenience on others by force?

Just go ahead and filter the offenders. When their customers
cannot reach your services, or their server customers get
contacted by your customers about the policies of their ISP,
either they will change their policies or they will loose
customers.

It is MUCH more effective to guide business policies by the
lure of money than by the gun. Each and every network service
I have worked for has, once the benefits of cooperation were
pointed out to them, changed their tune.

Maybe if it were someone advocating force against YOU you
wouldn't be quite so pleased at the prospect as when you think
the cavalry is coming to rescue YOU.

Curt-

Karl,

*You* may wish to make your life more convenient by bringing
government force into your relationship with other network
providers, why by what divine right do you get to impose your
convenience on others by force?

Uh, I am imposing that same force on myself, if the "bad guys" are on my
network and someone needs help from us.

What I'm doing is asking for the government to start holding people
accountable for attractive nuisances, including vendors of equipment
who do nothing about tracability of this kind of attack.

Just go ahead and filter the offenders. When their customers
cannot reach your services, or their server customers get
contacted by your customers about the policies of their ISP,
either they will change their policies or they will loose
customers.

It is MUCH more effective to guide business policies by the
lure of money than by the gun. Each and every network service
I have worked for has, once the benefits of cooperation were
pointed out to them, changed their tune.

Look:

1. There is zero excuse for people allowing non-verified traffic in
  from dial ports. Zero. Its a trivial filter to implement on any
  RAS box on the market today, including some VERY old ones. If you
  filter only to the level of what COULD be legal (ie: the pool
  addresses on the device) that's good enough - it stops the spoofed
  denial of service attacks. Further, there is no bandwidth or CPU
  consumptiojn argument on these connections which can be made.

  This is pure LAZYNESS and nothing more - period.

  This also applies to the cable modem people, the ADSL people, etc.
  The only thing in the way of doing this on dedicated lines is
  reasonable automation (since people on dedicated lines might
  have their own address space, etc).

  MOST large ISPs do NO verification on inbound dial packet streams.

2. There is even less than zero excuse for a "fuck you" response from
  a NOC when you call them with a denial of service issue. Yet this
  is what we, all too often, get, along with a refusal to transfer to
  a manager and in some cases, a refusal to give the employee's NAME!
  The first thing these guys want is a customer ID; don't have one,
  go straight to hell.

  This happens ALL the time. In fact, it happens so often that its
  basically a waste of time to attempt to try to trace an active Smurf
  today, because the big guys WILL stonewall you.

3. Many of these providers sell "burstable" circuits. They CHARGE
  MORE to customers when they are abused as smurf amplifiers. Thus,
  there is a hell of an incentive NOT to do anything about the problem,
  as bits are bits when it comes to this issue. Now if you bitch
  they'll remove the charge I'm sure, but how many people won't catch
  it, especially on DS1s and frac T3s?

4. CISCO and other vendors have NOT stepped up to the plate with an
  EASY protocol-based way to trace these things. The bottom line is
  that the users haven't demanded it because its a "not in my back
  yard" type of problem, and the people who's back yard it IS in (and
  who are spending the most money with CISCO and friends) are not
  motivated to fix it.

5. It is the smaller provider and customer who gets hurt by this.
  We can survive 99% of all smurf attempts without damage. Our T1
  downstream customers? They're screwed. A T1-connected ISP?
  They're screwed as well. We don't get flooded off the network
  when it happens, which is why a "bounce at the border" strategy
  works for us.

  IT DOES NOT WORK FOR OUR CUSTOMERS, AS ONCE IT GETS TO THEM THE LINE
  IS CONSUMED AND TOSSING THE TRAFFIC IS POINTLESS!

6. Since you need significant bandwidth to BE a good smurf amplifier,
  guess who makes the "best" ones? Big ISP's internal infrastructure
  points, and fat-pipe (ie: DS3+) connected organizations. The DS1
  connected guy is a poor smurf source, since you need a lot of them
  in concert to hurt significant ISPs badly these days.

Karl,

2. There is even less than zero excuse for a "fuck you" response from
a NOC when you call them with a denial of service issue. Yet this
is what we, all too often, get, along with a refusal to transfer to
a manager and in some cases, a refusal to give the employee's NAME!
The first thing these guys want is a customer ID; don't have one,
go straight to hell.

I suspect including information about response from NOCs in the canonical
smurf amplifier registry would be instructive.

Regards,
-drc

Karl,

*You* may wish to make your life more convenient by bringing
government force into your relationship with other network
providers, why by what divine right do you get to impose your
convenience on others by force?

What's your alternative solution?

Just go ahead and filter the offenders.

This is ok after the fact. But it doesn't work when you're under
attack and trying to get help.

It is MUCH more effective to guide business policies by the
lure of money than by the gun.

I agree, but I don't think your solution, in this particular case,
is the right one.

Maybe if it were someone advocating force against YOU you
wouldn't be quite so pleased at the prospect as when you think
the cavalry is coming to rescue YOU.

If I was running a backbone, and I refused to help stop a Denial of Service
attack, couldn't I be considered to be aiding and abetting the criminal who
was performing the DoS? Couldn't I be held liable? I mean, in this case,
we're not talking gray areas here, like spamming and/or third-party mail
relaying. We're talking about smurfing, an action which is clearly illegal,
which clearly causes damage to the target network...

If I'm made aware of someone DoS'ing using my network, whether a LAN or, in
the backbones' case, a WAN, and I tell the complainant to bugger off, or
ignore the situation, I deserve whatever (legal) retaliation I get.
Including criminal charges if they apply. Including civil liability.

IOW - I agree with Karl.

That's simple. Follow the question path below to obtain your answer:

1. Is the network provider "next in the chain" a large national
  concern in the United States?

2. If yes, don't bother wasting your time. You will be told one of:
  a) We don't know what you're talking about <click>
  b) We'll contact security (two hours later, after the attack
    is over and is no longer traceable, they call back)
  c) What's your customer number? Oh, you're not a customer?
    Sorry. <click>

3. If no, you will be told one of:
  a) We don't know how to trace that <click>
  b) The source address isn't ours, sorry, we can't help you
    <click>

I have yet to have *ONE* Smurf attack, even ones which go on for an hour
or more, successfully traced back to the source. At some point in the
chain before you get to the source you WILL get one of the above answers.

This is why the government needs to get involved and *demand* that the
ability exist via a *protocol* for people in a NOC to initiate and follow
these traces automatically, without human intervention by the NOCs in the
chain.

What I would love to see is:

  "trace-smurf <forged-victim-address> <amplifier-address>" <return>

This would launch a trace which:

1. Looks "upstream" automatically for the destination address flow
  that matches the "victim" and amplifier, until it gets there
  (basically, set a "trap" condition for the address pair tuple, and
  then wait a few seconds for it to come through).

2. Determines the broadcast address for the interface which caused
  the smurf to be amplified.

3. Substitutes the broadcast address for the amplifier address, and
  then repeat upstream further until you get to the router where the
  victim/amplifier address pair is originating.

4. Displays its progress, much like a traceroute, as it is doing so,
  including the "turning point" where it is searching for the source
  as opposed to the amplifier. Hopefully we can get the ASNs along
  the way too (ala CISCO).

This would NAIL the source of these things, be quick to execute, and put
the nail in the coffin of the smurfer kiddies. Once you've identified the
source of the attacks you now can direct the legal people to the right
place, *AND* drop them from your list of people you will accept traffic
from if you'd like.

The trick is that you don't have to call anybody, and you can execute a
trace in a few seconds to a minute tops.

1. Is the network provider "next in the chain" a large national
  concern in the United States?

2. If yes, don't bother wasting your time. You will be told one of:
  a) We don't know what you're talking about <click>
  b) We'll contact security (two hours later, after the attack
    is over and is no longer traceable, they call back)
  c) What's your customer number? Oh, you're not a customer?
    Sorry. <click>

Sometimes, they (quickly) filter out this attack. Through I did not hear
about any successfull tracing.

3. If no, you will be told one of:
  a) We don't know how to trace that <click>
  b) The source address isn't ours, sorry, we can't help you
    <click>

I have yet to have *ONE* Smurf attack, even ones which go on for an hour
or more, successfully traced back to the source. At some point in the
chain before you get to the source you WILL get one of the above answers.

This is why the government needs to get involved and *demand* that the
ability exist via a *protocol* for people in a NOC to initiate and follow
these traces automatically, without human intervention by the NOCs in the
chain.

What I would love to see is:

  "trace-smurf <forged-victim-address> <amplifier-address>" <return>

Should you plan to have the distinct sintax for the any kind of attack?
Wrong idea.

The main issue is to be able to trace PACKETS by the known SRC or DST
address and of the known type. It can be something like
- where the packets TCP,SYN,DST=xx.xx.xx.xx are coming from?
- where the packets ICMP,ECHO-REQUEST,SRC=xxx.xxx.xxx.xxx are
from?

Both cases SRC or DST address is YOUR OWN ADDRESS, and it allow you to
ask such questions (and prevent you to ask anything about MY
internal traffic, for example).

If you'll develop anti-smurf system, you'll got SMERF attack and so on.
THe most important security hole for todays is the possibility to fraud
addresses, and this is complicated by those attacks when the packets
frauded are not packets destined to your personally, but the packets with
frauded SRC address (replaced to YOUR address).

If you can ask the global INTERNET: _this xxx.xxx.xxx.xxx is MY address;
where are the packets with this SRC or DST /of the known type/ are coming
from - the task is solved, and any attack can be traced (and may be -
blocked by the same way) in a 5 minutes.

The trick is that you don't have to call anybody, and you can execute a
trace in a few seconds to a minute tops.

--
--
Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV
           > NEW! Corporate ISDN Prices dropped by up to 50%!
Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS
Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)

It is MUCH more effective to guide business policies by the
lure of money than by the gun. Each and every network service
I have worked for has, once the benefits of cooperation were
pointed out to them, changed their tune.

Unfortunately, for some networks, the expense in fixing the problem is a
reason not to...just as some networks want the income from spammers more
than a good reputation.

Maybe if it were someone advocating force against YOU you
wouldn't be quite so pleased at the prospect as when you think
the cavalry is coming to rescue YOU.

By advocating any kind of Internet oversight body, he IS advocating the
potential use of force against himself. Unfortunately, the root problem is
that the cooperative paradigm envisioned in the Internet's creation has
been overtaken by human weaknesses. Greed, sloth and a host of other sins
interfere with the Utopian vision of the original 'Net and cannot be
effectively dealt with by asking offenders nicely to shape up.

What do spammers and nails have in common? They're both intended for
hammering.

Dean Robb
PC-Easy
On-site computer services
(757) 495-EASY [3279]