Government scrutiny is headed our way

This is why the government needs to get involved and *demand* that
the ability exist via a *protocol* for people in a NOC to initiate
and follow these traces automatically, without human intervention
by the NOCs in the chain.

Would you and other operators be willing to modify peering agreements
to include serious fines for running a smurf amplifier or allowing
packets with bogus source addresses to enter the system?

Tracking back bogus source addresses seems hard. Would fines on
smurf amplifiers be good enough to fix the smurf problem? Or do
we need to catch a smurfer to use as an example?

Currently, NOCs don't have much financial interest in tracking down
a smurfer.

Karl's stories of non-cooperation make sense if the NOC is looking
at their (short term) bottom line rather than the good of the net.
The person on the phone won't get any reward for solving Karl's problem
(and might get in trouble for sticking his neck out).

Is there a way we can change that?

One possibility might be to offer a reward to the NOC that gets the
evidence on the first smurfer to get tossed in jail or fined more
than $100K.

Another might be to setup peering contracts that encourage ISPs/NSPs
to track down smurfers.

I can't quite come up with the right thing to suggest. Everything
I think of has too many possibilities for gaming.

I'm fishing for something like each ISP/NSP that works on tracking
down a smurfer gets to charge the ISP/NSP closer to the source for
the time and costs it spends on the problem, including the costs
that get passed to it.

How much effort is involved in tracking a smurfer through each router?

Any router vendors willing to estimate how much it would cost to
implement something like Karl's proposed command?

"trace-smurf <forged-victim-address> <amplifier-address>" <return>

Do smurf attacks always happen late at night and on weekends?

Would major NSPs be willing to setup a smurf hotline so trusted smart
people, like Karl, could bypass the first several layers of screening
and get the data to the right person fast?

Well DoS and smurf are only different in terms of the packet amounts and
method to convey them, so in essence A smurf is another form of DoS on
A larger scale. An existing law already covers that.

If A NOC refuses to obey the law and investigate on behalf of a paying
client that DoS has occurred than they become party to a criminal act
after the fact and are as guilty as the originator of the attack and can
be held accountable and their staff can arrested and you have the
right to sue for $4000.00 as do each one of your individual
customers.

Sometimes you have to look at what you have and realize how
to use it for the benefit of the whole.

As for smurfs crossing international borders where such attacks generally
occur from, A group representation to the FCC needs to be formed and
the FCC needs then to communicate with its counterpart on the foreign
soil using existing treaties that would make that a violation of non
aggression
pacts and interference in a foreign government and denial of its citizens to
communicate pursuant to their constitution the right of free speech.

In A technical sense smurfs from foreign shores are an act of war on
networks of the United States by the purposeful intent to disrupt
destroy and cripple its computer network infrastructure with A
Smurfing mechanism.

Henry R. Linneweh

Hal Murray wrote:

Well DoS and smurf are only different in terms of the packet amounts and
method to convey them, so in essence A smurf is another form of DoS on
A larger scale. An existing law already covers that.

How do you come up with that? A DoS attack is anything that makes a
resource on a host or network unusable. Let's remember that the whole
point of the attack is to deny service, whether it be pop3 service with a
syn flood or bandwidth with smurf, fraggle, or generic ping flood. A
smurf attack is a DoS is a DoS is a DoS.

If A NOC refuses to obey the law and investigate on behalf of a paying
client that DoS has occurred than they become party to a criminal act
after the fact and are as guilty as the originator of the attack and can
be held accountable and their staff can arrested and you have the
right to sue for $4000.00 as do each one of your individual
customers.

I've never heard a NOC say they wouldn't track it down, although I'm sure
it's happened in the past. Mostly I've heard that a NOC was incapable of
tracking it down because of router overhead. Not to mention the packets
are almost always going to be traced back to the known smurf amplifiers.
If it was easy to find people responsible for the operations of those nets
and get them on the horn we could have had the smurf problem fixed a long
time ago. I would like to see if taking one of those people into court
for being an unknowing party to the crime would be effective.

Sometimes you have to look at what you have and realize how
to use it for the benefit of the whole.

Indeed, but how many people want to invest the time and money involved in
prosecuting a smurf attack? Has anyone successfully done it yet?

As for smurfs crossing international borders where such attacks generally
occur from, A group representation to the FCC needs to be formed and
the FCC needs then to communicate with its counterpart on the foreign
soil using existing treaties that would make that a violation of non
aggression
pacts and interference in a foreign government and denial of its citizens to
communicate pursuant to their constitution the right of free speech.

In A technical sense smurfs from foreign shores are an act of war on
networks of the United States by the purposeful intent to disrupt
destroy and cripple its computer network infrastructure with A
Smurfing mechanism.

Henry R. Linneweh

What needs to happen is things like IPSec, ISAKMP, and Oakley become prime
time so authenticating packets becomes a trivial issue. However, the U.S.
Crypto Nazis make it impossible for it to be developed in this country
because if it is, then it cannot be exported to other countries unless in
a weakened state. I don't claim to be a crypto person, but when you think
about how the game is played, getting to the real root of the problem may
not be an answer you like. I'm as patriotic as the next guy [you can read
that however you like], but for crypto authentication solutions to work
our government needs to get their hands out of it.

Joe Shaw - jshaw@insync.net
NetAdmin - Insync Internet Services

Now that we have gotten down to the nitty gritty here.

AGAIN the main mechanism for spoofing the smurf attacks is A program
call wingate, ban that code and this problem will be cut more than in half.

Next there is a rumor that 8000 users have been infected with a tweaked
system.exe file that makes that user a smurf amplifier unwittingly. These
are things to watch for. I wish there was an easier way to break bad news.

Henry

Joe Shaw wrote:

Henry Linneweh wrote:

Now that we have gotten down to the nitty gritty here.

AGAIN the main mechanism for spoofing the smurf attacks is A program
call wingate, ban that code and this problem will be cut more than in half.

Really? Wow - it's truly amazing noone's come up with such a simple
solution so far. Watch out for the photographers - you'll inevitably be
ambushed. My hero

Cheers,
Brian

Now that we have gotten down to the nitty gritty here.

AGAIN the main mechanism for spoofing the smurf attacks is A program
call wingate, ban that code and this problem will be cut more than in half.

What does wingate have to do with this?

Smurf attack is the term used for an ICMP echo based denial of service
attack caused by sending a forged icmp echo request to a brodcast network
address. The attacker forges the source address of the icmp echo request
to that of his victim, so all ICMP echo replies come back and flood the
victim(s).

Now, these packets can be hand forged by anyone with a moderate knowledge
of C and root on a UN*X workstation. Don't fix the symptom, but fix
the reason these attacks work. Packet authentication is the answer down
the line, but for now it's getting the twonks with their networks open to
fix the problem. This DoS can also be done with UDP echo, and UDP packets
are much easier to forge/spoof than TCP.

Next there is a rumor that 8000 users have been infected with a tweaked
system.exe file that makes that user a smurf amplifier unwittingly. These
are things to watch for. I wish there was an easier way to break bad news.

I fell out of my chair at that statement. One user/host cannot be a smurf
amplifier; one network from a /30 and down can with different results.

Joe Shaw - jshaw@insync.net
NetAdmin - Insync Internet Services
Any spelling mistakes and/or grammar errors are due to lack of sleep...

> This is why the government needs to get involved and *demand* that
> the ability exist via a *protocol* for people in a NOC to initiate
> and follow these traces automatically, without human intervention
> by the NOCs in the chain.

Would you and other operators be willing to modify peering agreements
to include serious fines for running a smurf amplifier or allowing
packets with bogus source addresses to enter the system?

It won't happen (try to get that written into one - hah!)

Tracking back bogus source addresses seems hard. Would fines on
smurf amplifiers be good enough to fix the smurf problem? Or do
we need to catch a smurfer to use as an example?

Preventing bogus source addresses isn't hard. Its not done because people
are lazy and don't care about their neighbors - this is a "not in my back
yard" problem.

Currently, NOCs don't have much financial interest in tracking down
a smurfer.

Actually, some NOCs have a financial incentive to BE amplifiers (consider
someone connected on a bit-rate-sensitive billing plan)

Karl's stories of non-cooperation make sense if the NOC is looking
at their (short term) bottom line rather than the good of the net.

Yep. Surprise.

Is there a way we can change that?

Bring charges?

I can't quite come up with the right thing to suggest. Everything
I think of has too many possibilities for gaming.

I'm fishing for something like each ISP/NSP that works on tracking
down a smurfer gets to charge the ISP/NSP closer to the source for
the time and costs it spends on the problem, including the costs
that get passed to it.

How much effort is involved in tracking a smurfer through each router?

Not a lot, but non-zero. The problem is that you have to catch it while the
attack is in process.

The REAL solution to this problem is for people to prevent address spoofing
on their leaf connections. That is, for leaf connections, if you do not
have a route back to the source from which you came, you drop the packet -
period.

If the LEAF nodes all did this, then the problem would already be gone.

Any router vendors willing to estimate how much it would cost to
implement something like Karl's proposed command?

> "trace-smurf <forged-victim-address> <amplifier-address>" <return>

Do smurf attacks always happen late at night and on weekends?

No. We just got hit for a few minutes at 9:15 this morning.

Would major NSPs be willing to setup a smurf hotline so trusted smart
people, like Karl, could bypass the first several layers of screening
and get the data to the right person fast?

That would be a good start.

Kewl! "Wingate, thou art banned!". Now, only half as many networks should
be smurfed....

</sarcasm></sarcasm>

What do spammers and nails have in common? They're both intended for
hammering.

Dean Robb
PC-Easy
On-site computer services
(757) 495-EASY [3279]

For those who missed or would like to review the proceedings of the most
recent NANOG (Dearborn), I've finally managed to cut up the 60kbit live
archives of the individual presentations from Monday & Tuesday (including
the Monday evening BOF) & put them up on a few servers. There was some great
presentations...hit
http://www.nanog.org/mtg-9806/agen0698.html to visit the clips. Feel free
to share these with friends & colleagues.

Jeffrey Payne
GM, Broadcast Operations, RealNetworks
206.674.2364