New Denial of Service Attack on Panix

Kent_W_England · September 17, 1996, 8:42pm

I wish that it were not so, but after reading the clever and insightful
approaches to tracking down the denial-of-service perps, I am pessimistic
about our ability to stay ahead in the escalation of this counter-counter-
measure warfare. I think that if we were able to trace the Panix attacker
that a future attacker would hit simultaneously from a half-dozen free
dial-up connections with a real random number generator and synthetic
SYNs to fool the router stat collector (or whatever it takes). I think we
are on the short end of the technology stick here.

If the fit hits the shan and the attacks begin to escalate, we need to be
ready to cooperate on source address filtering at the periphery. It's one
of those cases of hang together or hang separately. Should we wait, like
the cell phone industry did with the cloning fiasco, until this gives us
a black eye? It's just too inviting to expect that we don't have plenty of
folks out there ready to pull this trigger on us.

We need a general consensus in order for any one of us to justify the effort
required to install source address filters. That means that representatives
from major backbone ISPs must announce that they will install filters (not
at the MAEs) in response to this new threat and that they expect that their
peers will too. I'm not one of those major backbone ISP network
engineers, but I would hope that for the sake of all of us, that those who
are will roll their eyes heavenward, take a deep breath, and do what needs
to be done. I know it's easy for me to say, but nevertheless ...

This is an excellent example of what the NANOG and IEPG are really good for.

--Kent

Brian_Murrell · September 17, 1996, 9:59pm

from the quill of "Kent W. England" <kwe@6SigmaNets.com> on scroll
<2.2.32.19960917204240.00714dac@mail.cts.com>

We need a general consensus in order for any one of us to justify the
effort
required to install source address filters. That means that
representatives
from major backbone ISPs must announce that they will install filters
(not
at the MAEs) in response to this new threat and that they expect that
their
peers will too. I'm not one of those major backbone ISP network
engineers, but I would hope that for the sake of all of us, that those
who
are will roll their eyes heavenward, take a deep breath, and do what
needs
to be done. I know it's easy for me to say, but nevertheless ...

If the backbones agree that this is what needs doing, then perhaps a
financial penalty should be levied against upstream sites that have allowed
forged addresses to enter the backbone networks. Whenever one of these
forgers needs to be tracked one almost certainly needs to cross at least
one backbone provider to do the tracing. One will eventually find the
backbone provider providing service to the 1st tier ISP, which may lead to
a second tier ISP and so on. If the time spent to find the 1st tier ISP
were charged back to that ISP he would certainly be able to justify the
cost of the filtering. That first tier has the option to pass the cost on
to it's offending customer. Which also gives incentive to find the next
hop from where the packets are coming.

I hate financial penalties as much as the next guy, but when facing
somebody whose excuse for ignoring the requirement is cost, make the apathy
a cost as well.

b.