Just about every night someone(s) tries to use us as the "innocent
third party" in smurf attacks. Of course, we block and log all the
broadcast packets.
Is there any point in trying to report these attacks? Who would we
report them to? We don't know what the source is, after all the
address is spoofed. It seems kind of pointless to notify the victim
-- they already know they have been smurfed.
I want to do my part to try to stop attacks, but I'm baffled on this
one.
--Eric
If you can tell which interface it enters your network (and from which router
if at an exchange) notify the next hop towards the source... then if they
follw the same procdure eventually the culprit may be found...
aid
You should be able to figure out what interfaces they are comming in on.
That's the first step.
Is there any point in trying to report these attacks? Who would we
report them to? We don't know what the source is, after all the
address is spoofed. It seems kind of pointless to notify the victim
-- they already know they have been smurfed.
You report them to the FBI. See "Firewalls and Internet Security" by
Cheswick and Bellovin, and "Unix System Security" by Curry.
Does that help? Yes and no. There are several laws being violated, but
the FBI basically isn't getting involved in the spam wars. The first
violators were the anti-spammers who put in the blocking. The second
violators were the spammers who use relaying to get around that.
Anti-spammers are illegally intercepting (blocking) electronic
communications, and reading email, and the spammers are illegally exceeding
their authorization to access computers. The anti-spammers are illegally
preventing access to computers and networks engaged in interstate commerce.
Anti-spammers illegally exceed their authority to cancel usenet messages.
Spammers try to post messages faster than they can be canceled.
Electronic packet wars with each side trying to out-send the other.
The FBI is aware of this.
I think the FBI is reticent to get involved since there is essentially an
electronic riot in progress, and they don't have the resources to arrest
all the involved parties. Since no one is getting physically injured and
no money is being stolen, I think they are just waiting to see what
happens. Perhaps they think it will blow over. Or perhaps they just don't
think it important enough to get involved in. Perhaps its just the largest
flame war in the history of the planet, and shouldn't be taken too
seriously. Evidence is hard to gather and prosecute.
I suppose that some on this list are ill-disposed to accept they are
breaking any laws. I doubt anyone wants to argue this on this list. So I
won't.
But you should note that both authors also indicate that (from Cheswick and
Bellovin, page 205): "Computing and electronic communications service
providers are more limited in their right to monitor user activity. Just as
the phone company personnel may not, in general, listen to your calls,
employees of a public electronic mail service may not read your messages,
whether in transit or stored." There will be more detailed information in
our spam policy.
I'm working on a spam policy which may be viewed at
http://www.av8.com/spampolicy.html It includes all the laws that are being
broken by all the parties. It's still a draft, but the main points are
there.
I want to do my part to try to stop attacks, but I'm baffled on this
one.
Here's what you can do:
Get people to stop illegally blocking spam, and then get the spammers to
stop illegally using relays. Once the network and online providers obey
the law, you can ask the spammers to obey the law, too. It's pretty
pointless to only ask one group to obey the law. It's pretty unlikely the
FBI will step in to enforce the law on only group while allowing the other
group break the law.
At some point, perhaps we can take a list of violators to the FBI and ask
them to restore order and enforce the laws on spammer and anti-spammer
violators.
--Dean
You report them to the FBI. See "Firewalls and Internet Security" by
Cheswick and Bellovin, and "Unix System Security" by Curry.Does that help? Yes and no. There are several laws being violated, but
the FBI basically isn't getting involved in the spam wars. The first
violators were the anti-spammers who put in the blocking. The second
violators were the spammers who use relaying to get around that.
Anti-spammers are illegally intercepting (blocking) electronic
communications, and reading email, and the spammers are illegally exceeding
their authorization to access computers. The anti-spammers are illegally
preventing access to computers and networks engaged in interstate commerce.
Anti-spammers illegally exceed their authority to cancel usenet messages.
Spammers try to post messages faster than they can be canceled.
Electronic packet wars with each side trying to out-send the other.
I'm not sure what the issue of spammers vs. anti-spammers has to do with
the general case of smurf attacks. While I'm sure that some subset of the
smurf attacks that take place may have something to do with this
"conflict", there's no reason to believe that smurf attacks generally have
anything to do with spam-blocks or spam relays.
But you should note that both authors also indicate that (from Cheswick and
Bellovin, page 205): "Computing and electronic communications service
providers are more limited in their right to monitor user activity. Just as
the phone company personnel may not, in general, listen to your calls,
employees of a public electronic mail service may not read your messages,
whether in transit or stored." There will be more detailed information in
our spam policy.
None of the commentary regarding spam blocks being an illegal
"interception" of electronic communication is borne out by recent case law.
Both AOL and CompuServe have won cases that essentialy bear out their right
to block e-mail from certain sources at their discretion. There are a wide
variet of legal arguments that could be made here, but the current state of
the law seems to bear no resemblance to the picture that Mr. Anderson is
trying to paint above.
Back to the original question posed by Eric Wieling:
Is there any point in trying to report these attacks? Who would we
report them to? We don't know what the source is, after all the
address is spoofed. It seems kind of pointless to notify the victim
-- they already know they have been smurfed.
As others have pointed out, identifying the interface the packets are
coming in from would allow you to start the tracing process. (Okay,
blatant generalizing now. I realize there are exceptions...) However,
based on my experience with the providers we buy transit from, I have a
feeling you wouldn't get much of a response from most of the people you get
on the phone. There doesn't seem to be much incentive for a NOC to track a
smurf attack that is simply passing through their network, and NOC security
teams seem generally unwilling to spend time on issues that aren't
affecting them.
Jordyn
Am I missing something here? Since when was a law passed making
it illegal to block spam? Or is this wishful thinking on Dean's part?
David
==>Is there any point in trying to report these attacks? Who would we
==>report them to? We don't know what the source is, after all the
==>address is spoofed. It seems kind of pointless to notify the victim
==>-- they already know they have been smurfed.
Most providers are relatively helpful if they're attacks. They will
generally work to help resolve it, or at least will place filters in place
to help you out.
It's quite unfortunate that I had to find a tier 1 not willing to help
with the smurf situation at all lately. An ISP that I do consulting
for was being attacked via their connection to this provider. When their
provider was called, they said they couldn't trace anything unless the FBI
was involved, and that they couldn't put a filter in place.
So, basically this ISP's connection to the provider was disabled.
After the owner of this ISP argued with this provider's NOC for 12 hours,
this provider sent mail back, claiming it wasn't a smurf because they
looked at the traffic on the circuit.
If anyone should recognize a smurf, I think I would. I told this provider
it *was* a smurf, and that if they weren't predisposed with trying to do
absolutely nothing about it, they would have seen it.
After I told them about my smurf paper,
http://www.quadrunner.com/~chuegen/smurf.txt they were quick to tell me
(against their supposed "policy") that they are indeed willing to filter
for a customer, and that they will trace attacks if necessary.
This is interesting, because I sat on a conference call with
representatives from this provider along with others, the FBI, and CERT on
how we can have better cooperation between providers and track these guys.
This provider claimed their NOC was willing to deal with this.
It was a very disappointing e-mail thread.
As a plea to all you providers out there: the 'smurf' attack hurts the
smaller providers. It hurts their business. Please vow to use tools like
DoStracker and anything else you may be able to in order to trace this
down. Get your NOC operations folks involved--pass out the smurf paper to
educate customers and tell them what you can and can not do.
/cah
Dean Anderson <dean@av8.com> writes:
<snip>
There are several laws being violated, but
the FBI basically isn't getting involved in the spam wars. The first
violators were the anti-spammers who put in the blocking. The second
violators were the spammers who use relaying to get around that.
Anti-spammers are illegally intercepting (blocking) electronic
communications, and reading email, and the spammers are illegally exceeding
their authorization to access computers. The anti-spammers are illegally
preventing access to computers and networks engaged in interstate commerce.
Anti-spammers illegally exceed their authority to cancel usenet messages.
Its bad enough that we have to put up with non-operational
banter on the NANOG list, but having to deal with morons is
particularly offensive. The court has already upheld the
right of ISPs to block spam, and the right of ISPs to sue
spammers on behalf of their subscribers.
The following is an excerpt from a case on the ACLU's web site at
http://www.aclu.org/issues/cyber/updates/nov13clu.html :
"A District Court in Pennsylvania has ruled that AOL
is not a state actor subject to the First Amendment,
and therefore can block unsolicited commercial e-mail
(spam). ... Judge Weiner found that there were no
disputes over the facts of the case, and issued a
summary judgment opinion. He held that AOL is not a
state actor, and is not working in conjunction with the
government. As a wholly private actor, AOL is not
required to open its network to Cyberpromo, and is
therefore within its rights to block e-mail from the
Cyberpromo's domains."
If you really think spam does not hurt anybody, try explaining
to your 10 year old daughter why she keeps getting email for
"hot pussy sites" in her mail box -- this is something that a
child should never have to deal with. For this reason,
US Net provides one of the largest anti-spam filter lists
on the Internet, and we gladly help other ISPs in tightening
their mail systems down so they can eliminate nearly all spam
coming to their site. Our list is available via email auto
responder at spamlist@us.net -- over 700 ISPs pull this list
regularly to block spam. Filters can not stop all spam, but
they can have a dramatic impact on the amount of spam that
actually gets through to your site.
While Paul's BGP feed is excellent for blocking spam, we can
not use it because our customers demand being able to get to
the "entire Internet". Instead, we use filters to block mail
coming to dial-up customers, and we provide information and
tools to help our network customers kill spam on their own
mail servers. We are working hard to make the Internet a
*much* smaller place for spammers ...
Dave Stoddard
US Net Incorporated
301-572-5926
dgs@us.net
I believe you'll find, Dave, that this directly violates this list's
charter.
Cheers,
-- jra
Yo Jay!
To reiterate my original position from an end-user prospective. I do not want to
purchase services from an ISP that disallows me freedom of choice to solicit
those businesses that I want to deal with. I do not care for sex spams or market
driven Microsoft email or basic solicitations that do not interest me personally
or professionaly. "That protects my right of choice."
I believe that ISP in conjunction with the NSP has the right to limit bandwidth
in my interest as a consumer of services from forced market techniques,
especially the ones that commit criminal activity in the process of spammung.
If such businesses must exist then let it be on an e-commerce network that
is private and does not invade mainstream networks and email systems.
If they can not live with that, then outright refuse service like any private
business
has the right to do.
Henry R. Linneweh
Dave Stoddard wrote:
I'm working on a spam policy which may be viewed at
http://www.av8.com/spampolicy.html It includes all the laws that are being
broken by all the parties. It's still a draft, but the main points are
there.>I want to do my part to try to stop attacks, but I'm baffled on this
>one.Here's what you can do:
Get people to stop illegally blocking spam, and then get the spammers to
stop illegally using relays.
Sysadmins have a right to make sure their systems are not compromised,
and to protect the integrity of their service for their users. Period.
Sorry, Dean -- and I don't want to get into a big argument here, because
nanog is not the place for it -- but spam does affect the throughput of the
typical ISP and it does crash servers (it did to ours).
At some point, perhaps we can take a list of violators to the FBI and ask
them to restore order and enforce the laws on spammer and anti-spammer
violators.
ISP's are private companies and the servers are their property. If the ISP
makes known when the user signs up that spam is being blocked, and the user
acknowledges that and signs up anyway, I can't see how anyone's rights are
being violated.