Solution: Re: Huge smurf attack

Brandon Ross wrote:

We don't ask our vendors to provide equipment with directed broadcast
turned off by default for our own use or use by any clueful operator. The
reason we require directed broadcast to be turned off by default is so
that when a less-than-clueful operator gets a hold of the same box, they
don't become yet another smurf amplifier that ends up being used to attack
us. If and when I have the leverage with a vendor to get this implemented,
I use it, every single time.

and also wrote:

Yes, but, do you have any idea how many tech support calls would be
generated by our customers complaining that they can't ping or be pinged?
Our service is advertised as unrestricted Internet access. Our customers
rightfully expect to be able to ping out as well as be pinged. If we
blocked all echo throughout our network, we would be completed flooded
with technical support calls. Doing something like this, similar to the
serveral suggestions to filter all .0 and .255 addresses, is an attempt to
fix the symptom instead of the real problem.

Filtering .0 and .255, or filtering echos or ICMPs, are all indeed a form
of "fixing" the symptom. These things are being done because fixing the
cause isn't practical.

But what is the cause? Is it that kids with scripts will attack and try
to bring down an IRC server or the network that hosts it? Or is it that
they have the scripts in the first place? Or is it that they are using
networks that allow them to do this in the first place?

Fixing the kids heads, I'm sure we all agree, would be the correct solution.
But I don't believe this is really practical or possible. So what should be
done is to make it so that they have no effect.

The cause of burglaries and thefts is bad people. So we put up fences and
iron gates, install TV cameras in convenience stores, hire more security
guards and police officers, enact laws with longer criminal sentences. But
all of this is technically addressing the symptom of the problem. However,
doing so is often the only practical way.

So my position is that until we do have a practical solution to solve the
cause of the problem, we simply have to deal with the effects the best we
can, and this does mean dealing with and addressing the symptoms so that
we do not suffer the effects.

The question is just what steps are the ones we should do.

I admire Mindspring's position of making Internet access unrestricted.
But what is the real motivation? Is it the goal of "perfect IP" or is
the business case of decreasing tech support costs? They are, afterall,
in the business of providing consumer dialup access, and as we all know
that line of business is very costly in areas of tech support. Network
attacks are also a real cost. I would suggest that treating some of the
symptoms, at least for now, will cut some costs until the day that we
can achieve the utopian goal of the perfect solution to the cause.

Hi.

Let me a few words. I was talking to a few of this kids last months, and
unfortunately everything is not so easy to fix.

Yes, 99.9% of this attacks are _the kid's play_. I do not know how to fix
kid's heads over the whole world, but let's imagine you have found some
way to do it. And... let's be waiting for someone - not kid, from Iraq,
for example, who use this as the electronic weapon. Why not?

It's amazing but this kid's games have a positive effect among the
negative ones. Yes, they cause a problems and make a troubles for
someone. On the other hand, they allow you to see where do you have the
weakness _BEFORE_ someone seriously try to exploit this. As we are
talking here - the pike (in the river) don't allow other fishes to
slumber (sorry for the bad translation).

So my position is that until we do have a practical solution to solve the
cause of the problem, we simply have to deal with the effects the best we
can, and this does mean dealing with and addressing the symptoms so that
we do not suffer the effects.

I have to admit, your logical extension of my argument is valid. I
suppose if we really wanted to fix the true case of the problem we would
track down the parents of the abusers and punish them for not raising
their kids properly. My choice of words was rather poor.

The question is just what steps are the ones we should do.

Right. The idea that I was attempting to get across is that the problem
should be treated as close to the source as possible, and to treat the
problem in the most user invisible manner possible. I do not believe that
it is unreasonable to get networks that have not blocked amplifiers to do
so. I also don't believe that it's unreasonable to get backbone providers
to block spoofed traffic. Sure, it's definitely more difficult than just
throwing some filtering at the problem, but I think it's worth the extra
effort if it means that we still have access to a valuable tool like ping.
If we as an industry push our vendors hard enough to get these features
enabled by default in their equipment, then when a customer buys a new CPE
router, they're one less problem to worry about.

I admire Mindspring's position of making Internet access unrestricted.
But what is the real motivation? Is it the goal of "perfect IP" or is
the business case of decreasing tech support costs? They are, afterall,
in the business of providing consumer dialup access, and as we all know
that line of business is very costly in areas of tech support. Network
attacks are also a real cost. I would suggest that treating some of the
symptoms, at least for now, will cut some costs until the day that we
can achieve the utopian goal of the perfect solution to the cause.

The real motivation really is to provide unrestricted network access.
Sure we're out to make money, we are a business after all, but we also
have a set of ideals that we try to live up to as well.

Regardless, even from a strict monetary point of view, while the smurf
attacks against us are most certainly harmful, they don't cost us nearly
as much as the tech support calls blocking ICMP echo would generate.

Brandon Ross Network Engineering 404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com
                                                            ICQ: 2269442

Stop Smurf attacks! Configure your router interfaces to block directed
broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.

How about originating smurf attacks?

Does mindspring do filtering on dialups, or can mindspring users forge any
source address they like?

Does ANY major provider filter source addresses on their dialups?

-Dan

Filtering .0 and .255, or filtering echos or ICMPs, are all indeed a form
of "fixing" the symptom. These things are being done because fixing the
cause isn't practical.

But what is the cause? Is it that kids with scripts will attack and try
to bring down an IRC server or the network that hosts it? Or is it that
they have the scripts in the first place? Or is it that they are using
networks that allow them to do this in the first place?

I think blamin' the 'scriptkidz' in this instance isn't accurate. I think this
incident had a political component that is overlooked here, and one that
requires discussion. And that this smurfing was, quite possibly, an answer to
that political component.

I'm speaking about the "Nuremburg Files" which is downstream of Mindspring. For
those of you who don't know, this page is a listing of abortion providers,
clinic workers and their respective spouses. Those abortion providers and
clinic workers who have been killed are struck-through on this page, those who
have been wounded, or who have stopped providing abortions for whatever reason,
are grayed out and those remaining are, for lack of a better term, targeted,
through the collection of personal information (licsense plate numbers, home
addresses, phone numbers, etc...)

I bring this up, not to discuss content, but because a lawsuit has been
brought, and which began Friday, against this page charging that it is a
hit-list that crosses the line of free speech into incitement to violence. The
suit has received some national attention (was prominently featured on the CNN
webpage) and appears to be, at present, ground zero for the pro-life/pro-choice
debates...

Given all that, is it hard to beleive that some-one, moderately skilled in
networking but extreme in political views, attempted to shut down this page by
shutting down Mindspring?

This is the real world, people. This isn't the goodgeeks vs. the skriptkiddiez
in their own private internet bubble. It is entirely plausible (even likely,
given the timing of the case opening Friday, the subsequent publicity and the
"huge smurf attack" Saturday...) that this was a political act, and guess
what... we're squeezed in the middle. It ain't about which side of the debate
any on NANOG will fall on, but the fact that the debate may be falling on us.

The cause of burglaries and thefts is bad people.

But the cause of political terrorism is extreme people. I think that, if this
smurf attack was in response to the web page "The Nuremburg Files", it is an
act of terrorism in response to an act of terrorism: that is to say the page is
extreme, so why do we not expect responses to it to be extreme? And, in the
middle, network engineers putting out the fires... networks being the
battlegrounds that these people have chosen.

I admire Mindspring's position of making Internet access unrestricted.
But what is the real motivation? Is it the goal of "perfect IP" or is
the business case of decreasing tech support costs? They are, afterall,
in the business of providing consumer dialup access, and as we all know
that line of business is very costly in areas of tech support. Network
attacks are also a real cost. I would suggest that treating some of the
symptoms, at least for now, will cut some costs until the day that we
can achieve the utopian goal of the perfect solution to the cause.

But if you want "unrestricted internet access" you'll get pages like "The
Nuremburg Files" and you'll get people who object to that...

I don't know what the solution is... but I do think we'll all be better off
opening our eyes to the situation, rather than simply blaming the
'skriptkiddiez'.

Peace,

Petr

Peter/

I am not sure about last smurf incident, but don't overestimate _dark
minds_ caused this incident. I am 99.9% shure all (ALL) this incidents
complained about in NANOG was the same _kidscripts_.

This do not mean you should not prevent the possibility of
_cyberterrorism_, and let's this _kid's plays_ help to pay attention to
the security holes we have over the Internet.

Peter Swedock wrote:

[much discussion snipped for brevity]

But if you want "unrestricted internet access" you'll get pages like "The
Nuremburg Files" and you'll get people who object to that...

I don't know what the solution is... but I do think we'll all be better off
opening our eyes to the situation, rather than simply blaming the
'skriptkiddiez'.

"Unrestricted Internet Access" will indeed mean different things to
different people. For some, it'll mean access to the web without
transparent proxies. For others, it means access to properly secured
SMTP servers anywhere without someone either filtering or transparently
redirecting their packets. I tend to think of it as "don't limit my
ability to do 'normal' things."

Since I do network consulting, I may well log onto Mindspring or AT&T
Worldnet or some other ISP to run traceroutes or pings back against a
network I'm working on, to be sure it looks OK from outside. I may be
testing to see that routing policy or filters at a corporate site are
functioning correctly. So, I ask ISPs what their policies are. Granted
I'm not a typical customer.

The real lesson to be learned here, though, as others have stated, is
the 'net is getting an exposure to terrorism. Now, we can run around and
say "illegal, illegal" and try to get law enforcement to do something,
but law enforcement may well say "why don't you improve your security?"
If waging a campaign to get smurf amplifiers eradicated helps, then DO
IT. At the same time, add the ability to detect attempted smurfings, and
report them.

Take it as a gift that the you were woken up to the problems by "kids"
(if that's what it was), rather than by hardcore terrorists. It may well
be time for the backbone providers and larger ISPs to develop
anti-terrorism plans. The Internet has passed the point of being a
useful tool in society and is becoming a critical element in everyday
life. Perhaps this should be a new topic at NANOG.

Dan

My only question is do any of you who've been under attack report these
incidents to the FBI and the other appropriate agencies? I understand
that a lot of these places are Universities and Govt. agencies where
finding someone to fix the problem is like running through water, but I
can only wonder if having the FBI get involved in these things would help.

Two agents from the Houston office recently gave a presentation talking
about their new and expanding computer crimes divisions popping up around
the country. They kept harping on protecting the infrastructure of the
nations public networks, and I think helping track down smurf amplifiers
would fall under this.

Invite them to NANOG, tell them to put their money where their mouth is.

-Dan

I think blamin' the 'scriptkidz' in this instance isn't accurate. I think this
incident had a political component that is overlooked here, and one that
requires discussion. And that this smurfing was, quite possibly, an answer to
that political component.

I'm speaking about the "Nuremburg Files" which is downstream of Mindspring. For

[...]

Given all that, is it hard to beleive that some-one, moderately skilled in
networking but extreme in political views, attempted to shut down this page by
shutting down Mindspring?

It's an interesting thought. But someone who is 'moderately skilled' in
networking would have been able to do a simple nslookup to find that
www.christiangallery.com and irc.mindspring.com are in fact two completely
different machines (on different subnets even). There's a slight chance
that this was an attack launched to try to shut down the Nuremburg site,
but I'd bet money that it's Just Another IRC Server Attack.

I've discussed this with other geeks before. One day (probably soon) we'll
see a person/persons with extreme views on some issue launch an attack
on servers that support organizations that they're opposed to. It'll
be extremely interesting to see how it all happens and what the reaction
to such an attack is.

There are plenty of nuts out there, and they're getting on the Internet
in droves. God help us when they start learning about denial of service
attacks.

Robbie

We report these incidents to the FBI when there is at least a slim chance
that the perpetrator might be caught. We get a lot of very short lived
attacks (30 minutes or less) that just don't seem to be worth our time to
report to the FBI, since there's usually no data that would give them a
bit of a clue about who might have done it.

Brandon Ross Network Engineering 404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com
                                                            ICQ: 2269442

Stop Smurf attacks! Configure your router interfaces to block directed
broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.

There needs to be a better communication infrastructure set up between
backbones and providers, so we can trace the perpetrators to the source
and shut them off.

Having to spend 20 minutes on hold with a *multibillion dollar telco*
while they try to find a security admin, is simply unacceptable.

Or how about multibillion dollar telcos who cant keep the email and phone
numbers on their noc pages/internic/arin current. (eg bouncing email and
disconnected phone numbers).

Or how about networks with the facilities to deal with perpetrators but
are simply unwilling to do so. Eg spending several hours being smurfed,
and the backbones outright refuse to trace or filter.

All of this is simply unacceptable.

-Dan

But I'm not talking about catching the person who's initiating the
attacks, which is next to impossible if the amplifiers aren't willing or
able to help. I'm concerned about the FBI possibly playing a part in
shutting down the amplifiers. As the FBI agent who I talked with a week
ago said "We want to hear about any incident that happens because we do
trend tracking." Lord knows if enough people reported large smurf attacks
they'd at least do something.

As I'm frequently reminded by my friends at DOJ's computer crimes
section, there's not a lot that most FBI field offices can or will do
without major damage shown. Unless you count "trend tracking," I
guess.

If you're only waiting 20 minutes, you're having much better luck than me.
In our experience, it takes several hours to get in touch with someone
clueful enough and with the authority to trace a spoofed attack.

Brandon Ross Network Engineering 404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com
                                                            ICQ: 2269442

Stop Smurf attacks! Configure your router interfaces to block directed
broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.