Re: Is there a line of defense against Distributed Reflective attacks?

[E.B. Dreger]

JB> Date: Mon, 27 Jan 2003 15:19:25 -0600
JB> From: Jack Bates


JB> So, if I'm reading this right, user of Vendor L doesn't like
JB> Vendor M.  Instead of attacking Vendor M's software, the user
JB> just needs to make sure Vendor M's corporate servers get
JB> infected and cause enough damage to run Vendor M into
JB> bankruptcy from the resulting law suits?

Hey!  Sounds almost like ILEC/CLEC business, dumb patents, et
cetera!  (Not that I agree with that... not by a longshot...
but that's a real risk.)


JB> What about the small mom and pop shop? Will you watch as an
JB> old family business is run into the ground because someone
JB> didn't advise them properly on handling security? There is
JB> such a thing as making penalties too stiff.  Many good
JB> businesses would be afraid to participate. Oh, wait. Never
JB> mind. They'd have Internet Vulnerability insurance.

Perhaps IVI is a worthy idea.  Misconfigured computers certainly
have the potential to cause damages.  "We can't afford to do it
right" is a poor excuse.  Hiring an expert for a few hours is
much cheaper than than damage one can cause.

I heard a saying that, "If a business can't afford infrastructure
such as accounting, legal, et cetera, it's not a business -- it's
a hobby."

Who should bear the brunt of the damage inflicted by others?  I
don't want to see people slinging ridiculous lawsuits (fast food
causes obesity! whoulda thunk?), but I can think of several
businesses that are willfully negligent when it comes to
security.  Should they go unpunished?


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~
Date: Mon, 21 May 2001 11:23:58 + (GMT)
From: A Trap <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <[EMAIL PROTECTED]>, or you are likely to
be blocked.

Re: Is there a line of defense against Distributed Reflective attacks?

[Valdis . Kletnieks]

On Mon, 27 Jan 2003 15:53:07 EST, [EMAIL PROTECTED] said:

> The amazingly simple solution is to make it uneconomical for anyone to
> maintain unprotected network (for whatever two sets uneconomical and
> unprotected are). For example, have a machine that had been broken into and
> used to attack a company which lost $5M because of that attack, make whoever
> owns the machine was broken into pay $5M + attorney frees + punitive

So the guy who makes $25K a year and has a $400 PC in a single-wide finds
himself liable for $5M because Nimda jumped from his PC to some PC in a
large corporation, where it then goes on a large burn.

(a) How do you collect?

(b) What does the corporation do when the defense lawyer argues that it's
95% the corporation's fault for *letting* the trailer-trash PC do it?

Most corporate exec don't want to go there - they'd have to quantify that
they had $5M in damages, and then they'd have to explain to the shareholders
why their screw-up cost the share-holders $5M in lost profits/dividends.

It would be a Phyrric victory, at best...





msg08576/pgp0.pgp
Description: PGP signature

Re: Is there a line of defense against Distributed Reflective attacks?

[Jack Bates]

From: <[EMAIL PROTECTED]>

> unprotected are). For example, have a machine that had been broken into
and
> used to attack a company which lost $5M because of that attack, make
whoever
> owns the machine was broken into pay $5M + attorney frees + punitive
> damages. Suddently, the unprotected (for whatever the definition of
> unprotected is) networks disappear either due to the bankruptcy of the
owner
> or because it becomes cheaper for the owner to maintain those unprotected
> networks rather than face monetary penalties.
>
So, if I'm reading this right, user of Vendor L doesn't like Vendor M.
Instead of attacking Vendor M's software, the user just needs to make sure
Vendor M's corporate servers get infected and cause enough damage to run
Vendor M into bankruptcy from the resulting law suits?

What about the small mom and pop shop? Will you watch as an old family
business is run into the ground because someone didn't advise them properly
on handling security? There is such a thing as making penalties too stiff.
Many good businesses would be afraid to participate. Oh, wait. Never mind.
They'd have Internet Vulnerability insurance.

Jack Bates
BrightNet Oklahoma

Re: Is there a line of defense against Distributed Reflective attacks?

[alex]

> alex> This is a very bad band-aid. The solution is amazingly simple -
> 
> Just to be clear, the solution to WHAT is amazingly simple?
> 
> alex> make it uneconomical to have unprotected networks,
> 
> For whom to have unprotected networks?  What constitutes a protected
> network?  How does one make it uneconomical enough?

The amazingly simple solution is to make it uneconomical for anyone to
maintain unprotected network (for whatever two sets uneconomical and
unprotected are). For example, have a machine that had been broken into and
used to attack a company which lost $5M because of that attack, make whoever
owns the machine was broken into pay $5M + attorney frees + punitive
damages. Suddently, the unprotected (for whatever the definition of
unprotected is) networks disappear either due to the bankruptcy of the owner
or because it becomes cheaper for the owner to maintain those unprotected
networks rather than face monetary penalties.

Alex

Re: Streaming Video Bandwidth Requirements, WAS: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Numetra]

Perhaps, continuing the off-topic thread...

The best compression techniques that do not use block-based methods (as
in MPEG-2/4) can achieve much better compression capabilities than
listed below and in the other follow-on thread.  For an excellent
overview of what this may do for video on demand over the Internet,
check out the September 22nd issue of The Economist.  There are
basically three types of approaches: wavelet, fractal, and heuristic (or
object?).  They are also either software-only or hardware-assisted.
I've seen one of them that claims 1.1 Mbps typically for standard
definition (480i), and about 3 Mbps for HDTV (1080i).  I'm no codec
expert, but I was amazed at the clarity, even with packet loss.  I think
we'll find video on demand and other streaming entertainment services
over our xDSL connections and Cable Modems much sooner than most people
expect.  I hope network operators are prepared for it.

You can get a typed copy of The Economist Article at:
http://fox.rollins.edu/~tlairson/ecom/video.html

Regards,

Jeff Turner

[EMAIL PROTECTED]


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf 
> Of Al Rowland
> Sent: Wednesday, January 22, 2003 9:28 AM
> To: [EMAIL PROTECTED]
> Subject: RE: FW: Re: Is there a line of defense against Distributed
Reflective attacks?



> Not to mention that fact that 99.99% of current consumer connections 
> are not up to the task. Standard full-screen video digital stream is
> ~6Mbps, HDTV requires 19.4Mbps. Don't know many consumers with T3s. ;)

> Al Rowland

Re: Is there a line of defense against Distributed Reflective attacks?

[Michael Lamoureux]

 "alex" == alex  <[EMAIL PROTECTED]> writes:

>> > > Sure, but this like all other attacks of this sort can be
>> > > tracked... and so the pain is over /quickly/ provided you can
>> > > track it quickly :) Also, sometimes null routes are ok.
>> >
>> > How quickly is quickly? Often times as has been my recent
>> > experience (part of my motivation for posting this thread) the
>> > flood is over before one can get a human being on the phone.
>> 
>> Once the call arrives and the problem is deduced it can be tracked
>> in a matter of minutes, like 6-10 at the fastest...

alex> So if one wants to create a really nasty, largely untrackable
alex> problem, one just needs to mount a set of attacks that last 3-4
alex> minutes at a time?

Sure, that's one way to make it difficult.


alex> This is a very bad band-aid. The solution is amazingly simple -

Just to be clear, the solution to WHAT is amazingly simple?


alex> make it uneconomical to have unprotected networks,

For whom to have unprotected networks?  What constitutes a protected
network?  How does one make it uneconomical enough?


wondering,
Michael

Re: Is there a line of defense against Distributed Reflective attacks?

[alex]

> > > Sure, but this like all other attacks of this sort can be tracked... and
> > > so the pain is over /quickly/ provided you can track it quickly :) Also,
> > > sometimes null routes are ok.
> >
> > How quickly is quickly? Often times as has been my recent experience
> > (part of my motivation for posting this thread) the flood is over before
> > one can get a human being on the phone.
> 
> Once the call arrives and the problem is deduced it can be tracked in a
> matter of minutes, like 6-10 at the fastest...

So if one wants to create a really nasty, largely untrackable problem, 
one just needs to mount a set of attacks that last 3-4 minutes at a time?

This is a very bad band-aid. The solution is amazingly simple - make it
uneconomical to have unprotected networks, the same way as it is
uneconomical for businesses that rely on internet for critical
communications not to have a firewall in place when purchasing business
interruption insurance. 

Alex

Re: Is there a line of defense against Distributed Reflective attacks?

[alex]

> Doesn't ECN depend on 'well behaved' traffic? In other words, wouldn't it
> require the hosts sending traffic to slow down? So... even if the hosts
> slowed down, 10,000 hosts still is a high traffic rate at the end point.
> :(

Yes, for ECN to work the sending host must honor the slowdown request/ It
does happen transparently for most types of sockets, however the attacker
can and will disable ECN with a single syscall.

Alex

Re: OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Paul Wouters]

On Thu, 23 Jan 2003, Christopher L. Morrow wrote:

> > Something I'm surprised no one has commented on considering the
> > direction of this thread has been should ISPs be responsible for
> > customer actions if they are not allowed to refuse service to customers?
> 
> ISP's can't refuse service to customers?

As I've come to understand, this depends on what system is in use. In the
Anglo-Saxon system, "free" market is everything. But in post Napoleon
France for instance, it is considered a privilege to offer commercial
services to the public, and one of the obligations that comes with that
privilege, is to offer that commercial services to everyone who pays,
without discrimination. 

I'm sure better suited people are around to explain these differences
better then I can.

If only revolutions wouldn't be in violation of law :)
 
Paul
-- 
God devised pigeons as a means of punishment for man. Probably after
the destruction of Sodom and Gomorrha he wanted to make sure that people
would never again feel comfortable enough in a city to repeat the sins
committed there, and he created the pigeons as a means to make the city
dwellers' lives more miserable, as a constant reminder of their past sins.

Re: OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Christopher L. Morrow]

On Wed, 22 Jan 2003, Baldwin, James wrote:

>
> Something I'm surprised no one has commented on considering the
> direction of this thread has been should ISPs be responsible for
> customer actions if they are not allowed to refuse service to customers?

ISP's can't refuse service to customers?

> I'm surprised this hasn't come up since the latter half of the question
> also represented a fairly "popular" thread earlier. I'm interested in
> people's opinions.
>
> James Baldwin
> Worldwide Technology Services and Operations
> Network Operations Center
> Electronic Arts, Inc.
>

Re: OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Petri Helenius]

>
> The first MPEG-4 HD set top boxes are beginning to appear
>
> http://www.sigmadesigns.com/news/press_releases/030108.htm
>
> Watch this space
>
If you read the document carefully, you´ll figure that they support MPEG2 HDTV
(1920x1080)
and MPEG4 SDTV (640x480/720x576), which was my point earlier. So they are little
less than
two cycles of Moore´s law away from MPEG4 HDTV. That would put it three years
away but if the market is there, we´ll probably see it earlier. SDTV
video-over-ip services
should take off first though or we´ll end up with peer2peer set top boxes
sharing premium
channel services over broadband networks.

Pete

OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Baldwin, James]

Something I'm surprised no one has commented on considering the
direction of this thread has been should ISPs be responsible for
customer actions if they are not allowed to refuse service to customers?
I'm surprised this hasn't come up since the latter half of the question
also represented a fairly "popular" thread earlier. I'm interested in
people's opinions.

James Baldwin
Worldwide Technology Services and Operations
Network Operations Center
Electronic Arts, Inc.

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[todd glassey]

Andy -
- Original Message -
From: "Andy Dills" <[EMAIL PROTECTED]>
To: "todd glassey" <[EMAIL PROTECTED]>
Cc: "Vadim Antonov" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, January 22, 2003 9:07 AM
Subject: Re: FW: Re: Is there a line of defense against Distributed
Reflective attacks?


> On Tue, 21 Jan 2003, todd glassey wrote:
>
> >
> > Vadim - the newest form of SPAM uses the Messenger facility to place a
> > pop-up in the middle of your screen without any email, pop, smtp or
other
> > service being involved. I apologize for the tone of the first posting,
but I
> > still stand by it. When ISP's are held accountable for what people do
with
> > the BW they sell them, then these issues will all be moot. Until then,
the
> > lie is that there is no way to stop these behaviors and its the one the
> > ISP's proffer exclusively.
>
> No, we evil network admins are NOT saying there is no way to stop these
> behaviors. We're saying that the solutions put such a crimp on open
> standards and legitimate behavior that their value is negative.

Who gave you the right to decide which laws you were going to abide by and
which ones you were not?

> The
> problem is a social one, not a technical one. The technical problem is the
> vulnerability that exists; the social problem is that as long as ANY
> vulnerability exists, people will try to exploit that vulnerability.

The reason that the vunerability is there is becuase of TCP/IP's inherent
weaknesses, but that aside, there are processes that could easily be put in
place to address these issues, the problem is that they cost money and that
means they have to be paid for and ISP's like many other businesses are run
to be as profitable as possible so that means that their owners will do as
little as humanly possible to address these issues to keep the bottom lines
where they are... Otherwise there wouldn't be the problems with SPAM and
DDoS
or other Attack Forms that exist today.

> Technology can mitigate the vulnerabilities, but it cannot mitigate the
> desire to exploit.

So then the problem is the ISP's facilitating the evil forces of the world
to do their worst???

>
> For instance, substitute "airport" for "network", as in "airport
> security".

Well, this is really funny - see I used to do Network and Systems Operations
for UAL at the SFO site and I think your commentary is so funny its almost
ludicrous. The problems with the Airlines is the ALPA and its membership and
the various other Unions that have a strangle hold on the carriers. You
folks are not unionized are you?

> There are ways for law enforcement to be 100% positive that no
> terrorists ever steps foot on a plane. Unfortunately, the cost involved,
> along with the reduction in efficiency, would make normal travel
> impossible.

The same is not true of networking though.

>
>
> Do you try to hold realestate developers responsible for what the
> homeowner does with their house? Do you try to hold the power company
> responsible for the people who use their electricity to grow weed?

of course not - but I do hold the provider responsible for not enforcing the
laws regarding digital fraud. And everytime one of your email servers passes
a forged email along another hop in its trip, you actively participate in
the fraud, so you are not the grower of the weed but rather the reseller of
it.

>
> I assume you were beating down the doors of Congress, tyring to get rock
> artists to be responsible for the people who committed suicide after
> listening to their albums?

Hardly, and Tipper and I disagree on many things.

>
> Andy
>
> 
> Andy Dills  301-682-9972
> Xecunet, LLCwww.xecu.net
> 
> Dialup * Webhosting * E-Commerce * High-Speed Access
>

Re: OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Marshall Eubanks]

Hello;

On Wednesday, January 22, 2003, at 06:04  PM, Petri Helenius wrote:




Drifting off-topic, but those are 'raw' data rates.  Compression 
algorithms
along with motion-estimation allow you to get full-screen video down to
~1.5 Mbps with not much in the way of image quality loss.

Raw HDTV is about 1.2Gbps. RAW NTSC SDI bitstream is a few hundred.
The 6 and 19.8 are already compressed. Obviously putting more horsepower
to the compression you can achieve smaller data rates. However applying
for example MPEG4 instead of MPEG2 for 1080i or 720p ups the 
computational
requirements beyond current consumer state of the art.

The first MPEG-4 HD set top boxes are beginning to appear

http://www.sigmadesigns.com/news/press_releases/030108.htm

Watch this space

 Regards
 Marshall Eubanks





I think you'll see it long before every house has fiber run to it.


75% is enough.

Pete


\

T.M. Eubanks
Multicast Technologies, Inc.
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624   Fax : 703-293-9609
e-mail : [EMAIL PROTECTED]
http://www.multicasttech.com

Test your network for multicast :
http://www.multicasttech.com/mt/
 Status of Multicast on the Web  :
 http://www.multicasttech.com/status/index.html

OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Petri Helenius]

> Drifting off-topic, but those are 'raw' data rates.  Compression algorithms
> along with motion-estimation allow you to get full-screen video down to 
> ~1.5 Mbps with not much in the way of image quality loss.
> 
Raw HDTV is about 1.2Gbps. RAW NTSC SDI bitstream is a few hundred.
The 6 and 19.8 are already compressed. Obviously putting more horsepower
to the compression you can achieve smaller data rates. However applying 
for example MPEG4 instead of MPEG2 for 1080i or 720p ups the computational
requirements beyond current consumer state of the art. 

> I think you'll see it long before every house has fiber run to it.
> 
75% is enough.

Pete

Re: OT: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Scott Granados]

Its actually funny you mention this.  I'd been working on a way to deliver
television via atm for years just never had much interest.  But basically
by attaching to the cloud and then being able to draw pvc's over to dsl
lines it should be quite possible.  Don't forget also many of us in given
areas have faster than 1.5 down in my case its 6 down which should be
pleanty for a good tv picture.   I'm sure bell would love to put a set top
box in when you buy dsl, maybe even have it part of the shipping package
you get when you join which delivers tv.  Give you phone, net and tv over
one  pair they should eat that up!  Not to mention theoretically isp's
should be able to offer it as well with their own offerings.


On Wed, 22 Jan 2003, Chris Parker wrote:

>
> At 10:58 AM 1/22/2003 -0800, Al Rowland wrote:
> >1. I also remember when web page standards required you to design
> >everything to fit in a 640x400 screen. DTV/HDTV will significantly
> >change your 'not much in the way of image quality loss' yardstick. My
> >viewing habits have changed significantly in the year plus I've been
> >DTV/HDTV. Among other things, I go to the movies a lot less. DVD quality
> >(which is lower than HDTV) is better than most movie theaters and
> >there's no gum/spilled drink (most of the time) on my floor.
>
> Agreed, however the source video that I've seen demoed is from DVD.  Side
> by side comparison shows slight degradation, but solo viewing is more
> than adequate.  This also isn't targetted to people at the end of the
> bell curve for technology adopters and purists, rather at the fat middle
> section that isn't upgrading to ( or doesn't care about ) HDTV yet and
> for whom current "digital video" quality is "just fine".
>
> >2. I already have it. It's called broadcast. $100 (could have been less
> >but I always over design) antenna and $20 of coax. No monthly fee. I do
> >pay for the DirecTV feed, but that's a separate flame war.
>
> Last I checked "premium" channels came via Cable or Satellite.  :)  If
> you have separate DSL line and DirecTV then you are doubling up on
> delivery costs.  Would the average consumer like to "add" video to their
> DSL connection?  The cable company cuts you a deal if you have video
> and data on the same line.  Wouldn't the telco's like to compete in that
> market?
>
> >Of course, you could just as easily be right.
>
> Who knows?  :)  Reality will probably end up somewhere in the middle.
>
> -Chris
>
> --
> \\\|||///  \  StarNet Inc.  \ Chris Parker
> \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
> | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
> oOo---(_)---oOo--\--
>\ Wholesale Internet Services - http://www.megapop.net
>
>
>

Re: OT: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Chris Parker]

At 10:58 AM 1/22/2003 -0800, Al Rowland wrote:

1. I also remember when web page standards required you to design
everything to fit in a 640x400 screen. DTV/HDTV will significantly
change your 'not much in the way of image quality loss' yardstick. My
viewing habits have changed significantly in the year plus I've been
DTV/HDTV. Among other things, I go to the movies a lot less. DVD quality
(which is lower than HDTV) is better than most movie theaters and
there's no gum/spilled drink (most of the time) on my floor.


Agreed, however the source video that I've seen demoed is from DVD.  Side
by side comparison shows slight degradation, but solo viewing is more
than adequate.  This also isn't targetted to people at the end of the
bell curve for technology adopters and purists, rather at the fat middle
section that isn't upgrading to ( or doesn't care about ) HDTV yet and
for whom current "digital video" quality is "just fine".


2. I already have it. It's called broadcast. $100 (could have been less
but I always over design) antenna and $20 of coax. No monthly fee. I do
pay for the DirecTV feed, but that's a separate flame war.


Last I checked "premium" channels came via Cable or Satellite.  :)  If
you have separate DSL line and DirecTV then you are doubling up on
delivery costs.  Would the average consumer like to "add" video to their
DSL connection?  The cable company cuts you a deal if you have video
and data on the same line.  Wouldn't the telco's like to compete in that
market?


Of course, you could just as easily be right.


Who knows?  :)  Reality will probably end up somewhere in the middle.

-Chris

--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Vijay Gill]

"Al Rowland" <[EMAIL PROTECTED]> writes:

> mention the effect everyone on AOL going to broadband and downloading
> Disney clips all the time would have on their settlement plans with
> backbone providers.

Of course, because you are definitely being kept in the loop regarding
the AOL settlement plans?

/vijay

OT: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Al Rowland]

1. I also remember when web page standards required you to design
everything to fit in a 640x400 screen. DTV/HDTV will significantly
change your 'not much in the way of image quality loss' yardstick. My
viewing habits have changed significantly in the year plus I've been
DTV/HDTV. Among other things, I go to the movies a lot less. DVD quality
(which is lower than HDTV) is better than most movie theaters and
there's no gum/spilled drink (most of the time) on my floor.

2. I already have it. It's called broadcast. $100 (could have been less
but I always over design) antenna and $20 of coax. No monthly fee. I do
pay for the DirecTV feed, but that's a separate flame war.

Of course, you could just as easily be right.

Best regards,
__
Al Rowland



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On 
> Behalf Of Chris Parker
> Sent: Wednesday, January 22, 2003 10:02 AM
> To: [EMAIL PROTECTED]
> Subject: RE: FW: Re: Is there a line of defense against 
> Distributed Reflective attacks?
> 
> 
> 
> At 09:28 AM 1/22/2003 -0800, Al Rowland wrote:
> 
SNIP
> Drifting off-topic, but those are 'raw' data rates.  
> Compression algorithms along with motion-estimation allow you 
> to get full-screen video down to 
> ~1.5 Mbps with not much in the way of image quality loss.
> 

SNIP
> 
> I think you'll see it long before every house has fiber run to it.
> 
> My 2 cents anyway.
> 
> -Chris
> 
> --
> \\\|||///  \  StarNet Inc.  \ Chris Parker
> \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
> | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
> oOo---(_)---oOo--\
> --
>\ Wholesale Internet Services - 
http://www.megapop.net

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Max's Lists]

speaking of HDSL over copper, does anyone know anything about a company
called Rose Tekephone that reportedly has an HDTV over T1 service?

- Original Message -
From: "Chris Parker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 22, 2003 1:02 PM
Subject: RE: FW: Re: Is there a line of defense against Distributed
Reflective attacks?


>
> At 09:28 AM 1/22/2003 -0800, Al Rowland wrote:
>
> >Not to mention that fact that 99.99% of current consumer connections are
> >not up to the task. Standard full-screen video digital stream is ~6Mbps,
> >HDTV requires 19.4Mbps. Don't know many consumers with T3s. ;)
>
> Drifting off-topic, but those are 'raw' data rates.  Compression
algorithms
> along with motion-estimation allow you to get full-screen video down to
> ~1.5 Mbps with not much in the way of image quality loss.
>
> That puts you into DSL/Wireless range.
>
> >As always, it gets down to doing the math, something may dot bombers
> >weren't (aren't) very good at. AOL/Time Warner is just the first major
> >example of this 'not yet ready for prime time' business plan. Not to
> >mention the effect everyone on AOL going to broadband and downloading
> >Disney clips all the time would have on their settlement plans with
> >backbone providers.
> >
> >When fiber-to-the-curb is the norm we'll be able to 'Ride the Light'
> >Until then, your mileage may vary. You might also see some change in
> >settlement plans and consumer pricing about that same time.
>
> I think you'll see it long before every house has fiber run to it.
>
> My 2 cents anyway.
>
> -Chris
>
> --
> \\\|||///  \  StarNet Inc.  \ Chris Parker
> \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
> | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
> oOo---(_)---oOo--\--
>\ Wholesale Internet Services - http://www.megapop.net
>
>

RE: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Chris Parker]

At 09:28 AM 1/22/2003 -0800, Al Rowland wrote:


Not to mention that fact that 99.99% of current consumer connections are
not up to the task. Standard full-screen video digital stream is ~6Mbps,
HDTV requires 19.4Mbps. Don't know many consumers with T3s. ;)


Drifting off-topic, but those are 'raw' data rates.  Compression algorithms
along with motion-estimation allow you to get full-screen video down to 
~1.5 Mbps with not much in the way of image quality loss.

That puts you into DSL/Wireless range.

As always, it gets down to doing the math, something may dot bombers
weren't (aren't) very good at. AOL/Time Warner is just the first major
example of this 'not yet ready for prime time' business plan. Not to
mention the effect everyone on AOL going to broadband and downloading
Disney clips all the time would have on their settlement plans with
backbone providers.

When fiber-to-the-curb is the norm we'll be able to 'Ride the Light'
Until then, your mileage may vary. You might also see some change in
settlement plans and consumer pricing about that same time.


I think you'll see it long before every house has fiber run to it.

My 2 cents anyway.

-Chris

--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net

RE: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Al Rowland]

Not to mention that fact that 99.99% of current consumer connections are
not up to the task. Standard full-screen video digital stream is ~6Mbps,
HDTV requires 19.4Mbps. Don't know many consumers with T3s. ;)

As always, it gets down to doing the math, something may dot bombers
weren't (aren't) very good at. AOL/Time Warner is just the first major
example of this 'not yet ready for prime time' business plan. Not to
mention the effect everyone on AOL going to broadband and downloading
Disney clips all the time would have on their settlement plans with
backbone providers.

When fiber-to-the-curb is the norm we'll be able to 'Ride the Light'
Until then, your mileage may vary. You might also see some change in
settlement plans and consumer pricing about that same time.

Best regards,
__
Al Rowland


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On 
> Behalf Of Vadim Antonov
> Sent: Tuesday, January 21, 2003 5:51 PM
> To: todd glassey
> Cc: [EMAIL PROTECTED]
> Subject: Re: FW: Re: Is there a line of defense against 
> Distributed Reflective attacks?
> 
> 
> 
> 
> On Tue, 21 Jan 2003, todd glassey wrote:
> 
> > Vadim - the instant someone sues a Provider for sexual 
> harassment from 
> > their spam epidemic you will start to see things change. The reason 
> > that No-Sane provider will block these ports or services is because 
> > they have been listening to their Network Admins too long,
> 
> We were talking about P2P, not spam.  P2P participants _want_ 
> to talk to each other, unlike spammer and his victims.  ISPs 
> already agressively fight spammers by termninating their 
> service completely - no port blocking or lawsuits are needed.
> 
> Blocking ports is not going to prevent communication between 
> parties which wish to communicate.  And carriage of bits is 
> about an order of magintude bigger economically than the 
> whole entertaintment industry.  RIAA already was stupid 
> enough to make enemies of telcos (with that Verizon lawsut).
> 
> The tech industry was bending themselves over to court 
> Hollywood because the common wisdom was that the content is 
> going to be what people will pay for.  Wrong.  Content-based 
> dotcoms died, and people still pay for Internet connectivity, 
> in ever-increasing numbers.  And spend more and more time in 
> front of computers instead of TVs.  Simply because live 
> people on the other end of the wire are infinitely more 
> interesting than the prechewed corporate crud called "content".
> 
> So I think we'll see some fireworks on the legal front, but 
> the outcome is already clear - unfiltered connectivity is 
> what consumers wish to pay for, not the sanitized disneys.
> 
> --vadim
> 
> 

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Damian Gerow]

On Wed, 22 Jan 2003 11:11:19 -0500 Damian Gerow <[EMAIL PROTECTED]> wrote:
> 
> (Taking NANOG out, as this is moving a little towards personal
> conversation)

Apparently, I didn't read my own Cc: line.  Sorry, folks.

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Damian Gerow]

(Taking NANOG out, as this is moving a little towards personal conversation)

On Tue, 21 Jan 2003 16:44:26 -0800 "todd glassey"
<[EMAIL PROTECTED]> wrote:
> 
> Vadim - the instant someone sues a Provider for sexual harassment from
> their spam epidemic you will start to see things change. The reason that
> No-Sane provider will block these ports or services is because they have
> been listening to their Network Admins too long, and in fact the problem
> is that they are not sane providers. What they are, and this is pretty
> much true across the board, is people that just don't care what they do to
> earn a buck otherwise we would not have these problems, and this is
> especially true of those Network Operators that push all those billions of
> bytes of illicit SPAM and throw their hands up and say "What do you expect
> us to do" - well the answer is simple. I expect you folks to operate
> within the law and to cooperate in stopping people who use your services
> in violation of the laws.
> 
> And if the providers out there don't like that - then they should find
> other businesses.

I think you're *nuts* if you think an ISP should be held entirely
accountable for its customers actions.

I'm one of a handful of administrators in a small ISP, and we do our
damnedest to ensure that everything runs smoothly.  We have a fairly strict
AUP that we actually enforce, we do egress filtering (not enough, but we're
working towards it), we contact customers that are infected with virii and
worms, and we have *zero* tolerance for script kiddies (usually instant
blackholes).

IMHO, that is about all you can expect an ISP to do.  Have an AUP that
incorporates all of your problems (spam, abuse, viruses, etc), and enforce
it.  You can *not* expect the ISP to police absolutely everything that its
customers do.  You can *not* expect the ISP to be held responsible for three
of its fifteen thousand customers browsing child porn.  You can *not* expect
the ISP to be accountable for its two hundred script kiddies.

You *can* expect the ISP to have an AUP.  You *can* expect the ISP to react,
and to react quickly.  You *can* expect the ISP to co-operate with the
proper authorities, if it goes to that level.  You *can* expect the ISP to
contact and work with (when and where needed) other ISPs to track down and
solve problems.

I am a Network Admin, and I am *still* looking for an effective way to block
outbound spam from our customers.  I spent two months purging all our mail
servers of FormMail, and scan them every night for more vulnerable versions.
Do you think that I should be sued because one of these slips through the
cracks (there's a 24-hour window in which one can be installed and abused),
and you get some porn spam?  I certainly hope not.

Being able to sue ISPs for their customers actions is pure insanity, and
will just lead to massive ISP shutdown world-wide.

However, being able to sue ISPs for *negligence* and for *ignoring*
customers actions is a whole different boat, and I think is an idea worth
looking at.

  - Damian Gerow, an overworked, underpaid, underappreciated Network
Administrator.  Strung out on caffeine, because I spent most of last night
hashing out some more details on our anti-spamming actions.

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[todd glassey]

Vadim - the newest form of SPAM uses the Messenger facility to place a
pop-up in the middle of your screen without any email, pop, smtp or other
service being involved. I apologize for the tone of the first posting, but I
still stand by it. When ISP's are held accountable for what people do with
the BW they sell them, then these issues will all be moot. Until then, the
lie is that there is no way to stop these behaviors and its the one the
ISP's proffer exclusively.

Todd

- Original Message -
From: "Vadim Antonov" <[EMAIL PROTECTED]>
To: "todd glassey" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, January 21, 2003 5:51 PM
Subject: Re: FW: Re: Is there a line of defense against Distributed
Reflective attacks?


>
> On Tue, 21 Jan 2003, todd glassey wrote:
>
> > Vadim - the instant someone sues a Provider for sexual harassment from
their
> > spam epidemic you will start to see things change. The reason that
No-Sane
> > provider will block these ports or services is because they have been
> > listening to their Network Admins too long,
>
> We were talking about P2P, not spam.  P2P participants _want_ to talk to
> each other, unlike spammer and his victims.  ISPs already agressively
> fight spammers by termninating their service completely - no port blocking
> or lawsuits are needed.
>
> Blocking ports is not going to prevent communication between parties which
> wish to communicate.  And carriage of bits is about an order of magintude
> bigger economically than the whole entertaintment industry.  RIAA already
> was stupid enough to make enemies of telcos (with that Verizon lawsut).
>
> The tech industry was bending themselves over to court Hollywood because
> the common wisdom was that the content is going to be what people will pay
> for.  Wrong.  Content-based dotcoms died, and people still pay for
> Internet connectivity, in ever-increasing numbers.  And spend more and
> more time in front of computers instead of TVs.  Simply because live
> people on the other end of the wire are infinitely more interesting than
> the prechewed corporate crud called "content".
>
> So I think we'll see some fireworks on the legal front, but the outcome is
> already clear - unfiltered connectivity is what consumers wish to pay for,
> not the sanitized disneys.
>
> --vadim
>

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[todd glassey]

Vadim - the instant someone sues a Provider for sexual harassment from their
spam epidemic you will start to see things change. The reason that No-Sane
provider will block these ports or services is because they have been
listening to their Network Admins too long, and in fact the problem is that
they are not sane providers. What they are, and this is pretty much true
across the board, is people that just don't care what they do to earn a buck
otherwise we would not have these problems, and this is especially true of
those Network Operators that push all those billions of bytes of illicit
SPAM and throw their hands up and say "What do you expect us to do" - well
the answer is simple. I expect you folks to operate within the law and to
cooperate in stopping people who use your services in violation of the laws.

And if the providers out there don't like that - then they should find other
businesses.

Todd Glassey

- Original Message -
From: "Vadim Antonov" <[EMAIL PROTECTED]>
To: "Avleen Vig" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, January 20, 2003 7:59 PM
Subject: Re: FW: Re: Is there a line of defense against Distributed
Reflective attacks?


>
>
> On Mon, 20 Jan 2003, Avleen Vig wrote:
>
> >
> > On Mon, 20 Jan 2003, Christopher L. Morrow wrote:
> >
> > > > I was refering specifically to end user workstations. For example
home
> > > > machines on dial up or broadband connections.
> > > > A lot of broadband providers already prohibit running servers and
block
> > > > certain inbound ports (eg 21 and 80).
> > > > *shrug* just seems like it would make more sense to block all
incoming
> > > > 'syn' packets.
> > >
> > Indeed it does break that. P2P clients: Mostly transfer illegal content.
> > As much as a lot of people love using these, I'm sure most realise
they're
> > on borrowed time in their current state.
>
> Well, blocking TCP SYNs is not a way to block establishment of sessions
> between _cooperating_ hosts.
>
> Simply make a small hack in TCP stack to leave SYN flag clear, and use
> some other bit instead.
>
> To really block something you need an application proxy... and then there
> are always ways to subvert those. Elimination of covert channels is one of
> the hardest problems. In any case, no sane provider will restrict traffic
> only to applications which can be served by its proxies.
>
> Going further, the growing awareness of the importance of security will
> cause more and more legitimate apps to create totally indiscriminate
> encrypted traffic... and it is a good idea to routinely encrypt all
> traffic, to avoid revealing importance of particular communications.
> Leaving identity of applications (different port #s) in the clear is also
> a bad idea, security-wise.
>
> --vadim
>

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Scott Granados]

And their are legal uses for p2p.  I have a customer who works with some of
these technologies for legal and approved file transfers like game
publishing.

- Original Message -
From: "Christopher L. Morrow" <[EMAIL PROTECTED]>
To: "Avleen Vig" <[EMAIL PROTECTED]>
Cc: "Christopher L. Morrow" <[EMAIL PROTECTED]>; "Daniel Senie" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Monday, January 20, 2003 5:22 PM
Subject: Re: FW: Re: Is there a line of defense against Distributed
Reflective attacks?


>
>
> On Mon, 20 Jan 2003, Avleen Vig wrote:
> > > Doesn't this stop kazaa/morpheus/gnutella/FTP/ > > chats>? This is a problematic setup, and woudl require the cable modem
> > > provider to maintain a quickly changing 'firewall' :( I understand the
> > > want to do it, but I'm not sure its practical to see it happen based
> > > solely on the hassle factor :( Hmm, security, "you gotta pay to play"
> > > (Some famous man once said that I believe)
> >
> > Indeed it does break that. P2P clients: Mostly transfer illegal content.
> > As much as a lot of people love using these, I'm sure most realise
they're
> > on borrowed time in their current state.
> > And I'm sure that if they were gone tomorrow, I'm sure they'd be back in
> > another fashion soon.
>
> That may be, but its still a problem... I believe http and ftp also
> transfer illegal content, should we shut them down? Email too? Often there
> is illegal content  in email. :(
>
> > Ftp/HTTP etc I believe most cable providers currently block these anyway
> > :-)
> >
>
> for FTP I was talking about non-passive data traffic.
>
>
>

Re: Is there a line of defense against Distributed Reflective attacks?

[Stewart, William C (Bill), RTLSL]

> > > > Block all TCP 21 and 80 ?
> > > Why not just block all incoming SYN ?
> > Doesn't this stop kazaa/morpheus/gnutella/FTP/? 
> Indeed it does break that. P2P clients: Mostly transfer illegal content. [...]
> Ftp/HTTP etc I believe most cable providers currently block these anyway :-)
> There's a chance it'd break things like file transfers on IM clients but
> I'm sure they'd be altered too.

The policy of some cable modem companies against running anything
resembling a server is even more clueless from a business perspective
than it is from a technical perspective, but that's a rant for another list.

I'd assumed the "block all SYN" was humor, but if we're discussing it
seriously, it's a genuinely bad idea.
A large number of applications really are servers, such as the 
listener clients for IM systems (including IRC as well as commercial ones),
VOIP clients, Netmeeting and other videoconference tools, and
Games, which are one of the critical markets for selling broadband.
Some of them use UDP for everything that isn't central-server based,
either for packet-loss-tolerant apps or else for reinventing TCP the hard way,
or sometimes for NAT traversal, but many of them do or should use TCP.

Bill Stewart
Official Technical Spokesperson for ~0.1% of Comcast cable network.

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Jeff Workman]

Stoned koalas drooled eucalyptus spit in awe as Avleen Vig exclaimed:



Doesn't this stop kazaa/morpheus/gnutella/FTP/? This is a problematic setup, and woudl require the cable
modem provider to maintain a quickly changing 'firewall' :( I understand
the want to do it, but I'm not sure its practical to see it happen based
solely on the hassle factor :( Hmm, security, "you gotta pay to play"
(Some famous man once said that I believe)


Indeed it does break that. P2P clients: Mostly transfer illegal content.
As much as a lot of people love using these, I'm sure most realise they're
on borrowed time in their current state.


And it's your job as a network provider to determine the legality of your 
users' activities?  Plus, you said the magic word "mostly"  What about 
legit uses of P2P networks?  Do you also stop your users from using NNTP as 
well, since it's "mostly" used for porn and warez?  How about email? since, 
from the looks of my mail logs, SMTP traffic is "mostly" spam and sircam. :)

I'm sure your users would certainly pack up and take their business 
elsewhere if you placed these restrictions on them.  Why not just put them 
all behind a firewall on RFC-1918 addresses, if you are going to block all 
incoming SYNs?

And I'm sure that if they were gone tomorrow, I'm sure they'd be back in
another fashion soon.


Any true P2P system is going to need at least one end user to receive a SYN.


Ftp/HTTP etc I believe most cable providers currently block these anyway


I also believe this is usually stated in their TOS that they're not allowed 
to run services on their home computers.  If I'm on IRC and I initiate an 
outgoing DCC chat, the open port on my box awaiting the connection is 
hardly a "service."

There's a chance it'd break things like file transfers on IM clients but
I'm sure they'd be altered too.


Unless I'm missing something, wouldn't it be necessary to modify both the 
clients and the servers to pass all FT traffic through the servers? I'm 
sure those who sell bandwidth to AOL and Yahoo would love it if they did 
that, but I don't see it happening.

-Jeff

--
Jeff Workman | [EMAIL PROTECTED] | http://www.pimpworks.org

OT: Is there a line of defense against Distributed Reflective attacks?

[Al Rowland]

I particularly enjoyed my time in (Northern) Europe due to the
cleanliness of the streets and parking lots. No pools of dripped fluids
in every space. Made motorcycle riding much more enjoyable. Rather
strict inspection requirements then. If your car had visible drips when
inspected underneath or corrosion (rust spots where probed with
screwdrivers, if it went through, no pass.) you didn't pass. Analogies
to hardware/software are left as an exercise for the reader.

Of course, this system was subject to the same issues any consumer
system has. Market conditions still applied.

Best regards,
__
Al Rowland

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On 
> Behalf Of David Howe
> Sent: Monday, January 20, 2003 2:40 AM
> To: Email List: nanog
> Subject: Re: Is there a line of defense against Distributed 
> Reflective attacks?
> 
> 
> 
SNIP
> I would assume though, that if a particular model of car were 
> frequently shedding dangerous fragments onto the road due to 
> design flaws, the highway department might expect something 
> be done to fix the cars and save them all that work and expense.
> 
> 
> 

Re: Is there a line of defense against Distributed Reflective attacks?

[David Howe]

at Monday, January 20, 2003 5:25 AM, Deepak Jain <[EMAIL PROTECTED]> was
seen to say:
>> What incentive does the end-user have to use secure systems?  Should
>> Microsoft, Sun, Sendmail Inc or ISC be required to send a technician
>> out to fix every defective system they released?  Why should the ISP
>> be held accountable for the defects created by others?  Car makers
>> have to fix defective cars, not the highway department.
> Without jumping into this discussion, I would like to make the point
> that if a car on the highway drops something... a pebble. a window.
> tacks. or any other item on the highway that is potentially hazardous
> or inconvenient to others who want to use that highway... the car
> manufacturer doesn't come out, the highway department does.
> As long as the car _moves_ under its own power across the highway, its
> essentially not the car manufacturers' (or the consumers') immediate
> concern.
I would assume though, that if a particular model of car were frequently
shedding dangerous fragments onto the road due to design flaws, the
highway department might expect something be done to fix the cars and
save them all that work and expense.

RE: Is there a line of defense against Distributed Reflective attacks?

[Deepak Jain]

> > As long as the car _moves_ under its own power across the highway, its
> > essentially not the car manufacturers' (or the consumers') immediate
> > concern.
>
>   That's really not true.  Before car companies sell cars, they
> pass (lots of) safety certification tests.  Before owners drive
> cars legally, they pass a safety and emissions test.  Sure, the
> highway folks clean up after the occasional tire blowout, but
> there's been a lot of work put in to make sure that the engines
> aren't going to drop out on a regular basis.
>
>   If the Internet was a highway, it would be covered in
> burned-out engines.
>

True, in the literal sense. 1) Software companies and hardware manufacturers
have their own QA, focus groups and eval processes. Since very few people
will die in the event
of a burned-out engine on the Internet. Determiniation of the value of these
things is up to the reader.

An internal combustion engine is a much older, more widely tested thing than
the "cars" we drive on
the Internet and it figures that in reliability/safety numbers they win.

The motherboards don't blow out, and the asphalt that makes the Internet
highway works too (generally).

DJ

Re: Is there a line of defense against Distributed Reflective attacks?

[David G. Andersen]

On Mon, Jan 20, 2003 at 12:25:27AM -0500, Deepak Jain mooed:
> 
> As long as the car _moves_ under its own power across the highway, its
> essentially not the car manufacturers' (or the consumers') immediate
> concern.

  That's really not true.  Before car companies sell cars, they
pass (lots of) safety certification tests.  Before owners drive
cars legally, they pass a safety and emissions test.  Sure, the
highway folks clean up after the occasional tire blowout, but
there's been a lot of work put in to make sure that the engines
aren't going to drop out on a regular basis.

  If the Internet was a highway, it would be covered in burned-out engines.

  -Dave

-- 
work: [EMAIL PROTECTED]  me:  [EMAIL PROTECTED]
  MIT Laboratory for Computer Science   http://www.angio.net/
  I do not accept unsolicited commercial email.  Do not spam me.

RE: Is there a line of defense against Distributed Reflective attacks?

[Deepak Jain]

>
> What incentive does the end-user have to use secure systems?  Should
> Microsoft, Sun, Sendmail Inc or ISC be required to send a technician out
> to fix every defective system they released?  Why should the ISP be held
> accountable for the defects created by others?  Car makers have to fix
> defective cars, not the highway department.
>

Without jumping into this discussion, I would like to make the point that if
a car on the highway drops something... a pebble. a window. tacks. or any
other item on the highway that is potentially hazardous or inconvenient to
others who want to use that highway... the car manufacturer doesn't come
out, the highway department does.

As long as the car _moves_ under its own power across the highway, its
essentially not the car manufacturers' (or the consumers') immediate
concern.

Deepak Jain
AiNET

Re: Is there a line of defense against Distributed Reflective attacks?

[Sean Donelan]

On Sat, 18 Jan 2003, Steven M. Bellovin wrote:
> >   3) Find and convict the true attacker
>
> Hash-based trace might help on that, *if* there was recording of the
> packets to the zombies.  But doing that ubiquitously might -- would? --
> turn the Internet into a surveillance state.

Yep, the hard question isn't if we can, but if we should.  We have the
advantage of Casino Network Traffic Analysis, the longer you play the odds
favor the house.  Tracking a single packet is difficult.  But when the
player keeps returning, eventually you can find them.

Traffic analysis doesn't require looking at every packet, or even beyond
the packet header. Starting with the 750 zombies and slowly working
backwards is time consuming and expensive.  On the other hand, putting a
few thousand taps in the network is getting easier all the time.  Vendors
are including more Network Intrusion Detection features in their
products.  Most of the DDOS products on the market today include some type
of traffic flow monitoring.  With the right incentives, I'm sure the
vendors can improve their products.

But then we get to the unintended consequences.  Once you collect the
traffic data, who else will want to use it for other things.  I'm not
just talking about the government, but also divorce lawyers wanting
dirt on spouses, companies track and silence critics, or even hackers
getting the records.


> >   2) Track and stop DDOS quickly when it does happen
>
> That's the point of pushback.

Triggered black holes, pushback, etc will help.  But reactive measures
aren't a complete answer.

> >So how do we
> >   1) Make end-user systems less vulnerable to being compromised
>
> That's my real goal...

What incentive does the end-user have to use secure systems?  Should
Microsoft, Sun, Sendmail Inc or ISC be required to send a technician out
to fix every defective system they released?  Why should the ISP be held
accountable for the defects created by others?  Car makers have to fix
defective cars, not the highway department.

Re: Is there a line of defense against Distributed Reflective attacks?

[Kurt Erik Lindqvist]

Without getting too much into the likelihood of any legal body actually
understanding anyone's role in an attack besides the attacker and the
victim, in this land where tobacco companies are sued by smokers who
get lung cancer and fast food restaurants are sued by fat people there
must be room for such cases as:

"XYZ Corp cost me $5mil in lost business. They were negligent in
securing their (network|host) from being used as a DoS attack tool
despite being informed of such by us both before and during said
attack."




and I always thought the US legal system was flawed.where do I 
file? :)

- kurtis -

RE: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Ray Burkholder]

This whole 'Internet Thing' is a one of the wonders of the modern world.
A  public transport system that has handled growth easily and
efficiently for many years.  Some people get leisure from it, some make
money from it, some do research on it, some communicate on it,  It
is one of the most pervasive things I've seen.

Because of the internet's inherent distributed nature, legislation will
get you no where, and besides,l legislation is the easy way out, and not
very effective at that.  Market forces and the golden rule (if that
combo actually works, I'd be amazed) should drive the direction of this
dynamic animal we call 'The Internet'.

If we lived in Nirvana, the Internet would be a beautiful thing.  But as
we live in reality, we have to take the good with the bad.  But overall,
I think the Good is winning over the Bad.

I say:  Cool.

Ray Burkholder


> -Original Message-
> From: todd glassey [mailto:[EMAIL PROTECTED]] 
> Sent: January 19, 2003 12:02
> To: Christopher L. Morrow; Stewart, William C (Bill), RTLSL
> Cc: [EMAIL PROTECTED]
> Subject: Re: FW: Re: Is there a line of defense against 
> Distributed Reflective attacks?
> 
> 
> You nor any of the ISP's may like this but the facts of the 
> matter are pretty clean and easily discerned and they all 
> point to the Governance Model for developing and releasing 
> protocols whole cloth on the Internet, no matter what they 
> enable people to do. Its time to take a close accounting of 
> what this "Internet" thing really is and put some stronger 
> legislation in place.
> 
> Todd Glassey
> 
> - Original Message -
> From: "Christopher L. Morrow" <[EMAIL PROTECTED]>
> To: "Stewart, William C (Bill), RTLSL" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Friday, January 17, 2003 6:29 PM
> Subject: Re: FW: Re: Is there a line of defense against 
> Distributed Reflective attacks?
> 
> 
> >
> >
> > On Fri, 17 Jan 2003, Stewart, William C (Bill), RTLSL wrote:
> >
> > >
> > >
> > >
> > > -Original Message-
> > > From: Stewart, William C (Bill), RTLSL
> > > Sent: Friday, January 17, 2003 5:35 PM
> > > To: '[EMAIL PROTECTED]'
> > > Subject: Re: Is there a line of defense against Distributed 
> > > Reflective attacks?
> > >
> > >
> > > Many of these attacks can be mitigated by ISPs that do 
> anti-spoofing 
> > > filtering on input - only accepting packets from user
> ports
> >
> > Sure, but this is a proven non-scalable solution. HOWEVER, 
> filtering 
> > as close to the end host is scalable and feasible... do it 
> there, it 
> > makes MUCH more sense to do it there.
> >
> > > that have IP addresses that are registered for that port, and not 
> > > accepting incoming packets from outside their network 
> that claim to 
> > > be from inside (except maybe from registered dual-homed
> hosts.)
> > > This cuts down on many opportunities for forgery,
> > > and means that SYN Flood attacks have a much more limited set of 
> > > addresses they can forge (e.g. an attacker or zombie can only 
> > > impersonate other ips sharing its /24 or /29, so it can't 
> pretend to 
> > > be its victim in a reflection or smurf attack.)
> > >
> > > That doesn't stop all reflection attacks; a zombie on a 
> network that 
> > > doesn't do anti-spoofing can send SYNs to a big server on 
> a network 
> > > that also doesn't anti-spoof, so the server will still SYN-ACK
> >
> > its not the 'server' that needs 'anti-spoof' its the end host, the 
> > machine in your livingroom that is on a cable modem for instance... 
> > the server in this instance is a simple, innocent, machine 
> doing its 
> > business.
> >
> > > to the victim.  This cuts out a lot of potential zombie/server 
> > > pairs. If the server that's being used for reflection is 
> someone the 
> > > victim would often talk to, that's a problem (you'd 
> rather not block 
> > > connections to Yahoo), but if it's someone the victim 
> doesn't care 
> > > about talking to (like router23.example.net) you don't 
> mind blocking 
> > > it. (Also, why is router23.example.net SYNACKing somebody 
> it doesn't 
> > > know?)
> > >
> >
> > This is an interesting point. The routers shouldn't really 
> syn-ack (in 
> > this example) bgp from 'unknown' places... unless you are a 
> neighbor

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[todd glassey]

Christopher, IP filtering is something that needs to be legally mandated and
put in place at both ends. Any tier-2/3 provider should be held accountable
for any fraud's that they enable their customers to commit, since there is
no other technical point of responsibility possible. As to spoofed IP's that
also is an issue, and the failure of the ISP's to put in place an
infrastructure where they could enact better controls is part in parcel to
their public denial of responsibility for what their customers do.

But I think that those days are rapidly coming to a close, and the Network
Providers will be called to task. As to TCP/IP and the inherent design flaws
that allow people to spoof it, those to are much the responsibility of the
"networking community" as a whole as well and need to be addressed therein.

You nor any of the ISP's may like this but the facts of the matter are
pretty clean and easily discerned and they all point to the Governance Model
for developing and releasing protocols whole cloth on the Internet, no
matter what they enable people to do. Its time to take a close accounting of
what this "Internet" thing really is and put some stronger legislation in
place.

Todd Glassey

- Original Message -
From: "Christopher L. Morrow" <[EMAIL PROTECTED]>
To: "Stewart, William C (Bill), RTLSL" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, January 17, 2003 6:29 PM
Subject: Re: FW: Re: Is there a line of defense against Distributed
Reflective attacks?


>
>
> On Fri, 17 Jan 2003, Stewart, William C (Bill), RTLSL wrote:
>
> >
> >
> >
> > -Original Message-
> > From: Stewart, William C (Bill), RTLSL
> > Sent: Friday, January 17, 2003 5:35 PM
> > To: '[EMAIL PROTECTED]'
> > Subject: Re: Is there a line of defense against Distributed Reflective
> > attacks?
> >
> >
> > Many of these attacks can be mitigated by ISPs that do
> > anti-spoofing filtering on input - only accepting packets from user
ports
>
> Sure, but this is a proven non-scalable solution. HOWEVER, filtering as
> close to the end host is scalable and feasible... do it there, it makes
> MUCH more sense to do it there.
>
> > that have IP addresses that are registered for that port,
> > and not accepting incoming packets from outside their network
> > that claim to be from inside (except maybe from registered dual-homed
hosts.)
> > This cuts down on many opportunities for forgery,
> > and means that SYN Flood attacks have a much more limited set of
> > addresses they can forge (e.g. an attacker or zombie can only
> > impersonate other ips sharing its /24 or /29,
> > so it can't pretend to be its victim in a reflection or smurf attack.)
> >
> > That doesn't stop all reflection attacks; a zombie on a network
> > that doesn't do anti-spoofing can send SYNs to a big server on a
> > network that also doesn't anti-spoof, so the server will still SYN-ACK
>
> its not the 'server' that needs 'anti-spoof' its the end host, the machine
> in your livingroom that is on a cable modem for instance... the server in
> this instance is a simple, innocent, machine doing its business.
>
> > to the victim.  This cuts out a lot of potential zombie/server pairs.
> > If the server that's being used for reflection is someone the
> > victim would often talk to, that's a problem
> > (you'd rather not block connections to Yahoo),
> > but if it's someone the victim doesn't care about talking to
> > (like router23.example.net) you don't mind blocking it.
> > (Also, why is router23.example.net SYNACKing somebody it doesn't know?)
> >
>
> This is an interesting point. The routers shouldn't really syn-ack (in
> this example) bgp from 'unknown' places... unless you are a neighbor you
> get squat, or that would be a nice feature, eh? :) For some folks, the
> problems aren't confined to just bgp, telnet or ssh on routers are also
> problemmatic, vty acl's are important :)
>
> > But there are probably 20 million web servers or Kazaa or IM clients out
there,
> > and probably half of them are on networks that don't spoof-proof,
> > so blocking those is much tougher than blocking the big ones.
> > And next stop - reflection attacks using big domain servers...
> >
>
> Hmm, I'm not sure, again, that the spoof proof needs to be on the kazaa
> server network, it needs to be on the network where the originating
> attacke is, preferrably as close to that host as possible, like it's
> default router... Now, the problems with 60million kazaa clients openning
> the floodgates on you are a whole nother problem :)
>

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Johannes Ullrich]

> *shrug* just seems like it would make more sense to block all incoming
> 'syn' packets.
> Wouldn't that be faster than inspecting the destination port against two
> seperate rules?

blocking all SYN's will break too much other stuff (Instant Messangers,
games ...). I think we would be much better off if they (consumer ISPs)
would block 135-139 and 445, maybe 21 and 80.

The rest could be handled with a simple IDS (doesn't even need
to match patterns... just count packets going to 27374 and the like)

I keep saying ISPs would be much better off if they implement these 
filters. But not all of them agree. IMHO: less 'zombies' -> better
service -> less support phonecalls.



-- 

[EMAIL PROTECTED] Collaborative Intrusion Detection
 join http://www.dshield.org



msg08102/pgp0.pgp
Description: PGP signature

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[John Kristoff]

On Sat, Jan 18, 2003 at 10:45:11PM -0600, Chris Adams wrote:
> How is this different than "ip verify unicast reverse-path" (modulo CEF
> problems and bugs, which of course NEVER happen :-) )?

It would be useful for all sorts of things besides verifying a source
address.  So in addition to complicated configurations such as multi-
homing/paths that you mention, it could also be useful for standard
filters on protocols, ports, logging and so on.

John

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Chris Adams]

Once upon a time, John Kristoff <[EMAIL PROTECTED]> said:
> It might be nice if all router vendors were able to associate the
> interface configured address(es)/nets as a variable for ingress
> filters.  So for in the Cisco world, a simple example would be:
> 
>   interface Serial0
> ip address 192.0.2.1 255.255.255.128
> ip access-group 100 in
>   !
>   interface Serial1
> ip address 192.0.2.129 255.255.255.128
> ip access-group 100 in
>   !
>   access-list 100 permit ip $interface-routes any
>   access-list 100 deny ip any any

How is this different than "ip verify unicast reverse-path" (modulo CEF
problems and bugs, which of course NEVER happen :-) )?

Multihomed customers are more interesting, but if all the single homed
customers had uRPF (or $VENDOR's equivalent) enabled it would cut down
on a significant amount of the spoofed traffic.

-- 
Chris Adams <[EMAIL PROTECTED]>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Re: Is there a line of defense against Distributed Reflective attacks?

[E.B. Dreger]

SD> Date: Sat, 18 Jan 2003 21:22:14 -0500 (EST)
SD> From: Sean Donelan


SD> 1) Make end-user systems less vulnerable to being compromised

With consumers, "cheap and easy" usually wins.  More often than
not, I hear "I don't care if someone breaks into my computer or
my email, because I don't have anything private".  One of our
customers knowingly had the ILOVEYOU virus for I can't remember
how many months.  (Gotta love the rejected mail logs on _that_
one.)

With essentially one desktop OS, there's not a huge amount of
pressure to make a better product.  How many known bugs were in
the fraction of Windows source code involved in the antitrust
case?  My memory fades, but it seems code quality in the most
popular OS is not the highest priority.


SD> 2) Track and stop DDOS quickly when it does happen

Is it TCP/80 DDoS, or did you just get slashdotted?  (I suppose
that goes along with #3, below.)


SD> 3) Find and convict the true attacker

IOW, find the "magic packet" someone used to bring 10,000 zombies
to life.

Question:  Just how often do people need end-to-end IP traffic?
I'm not suggesting blocking it; that would be bad.  But look at
AOL's proxied Web and email service... most people are none the
wiser.  Perhaps end-to-end traffic should be blocked at the edge
until .

And, oh yeah, "shut off the malicious and clueless" has worked
just great for stopping spam, hasn't it?  As Chris Morrow and
others so often and aptly mention -- technical problem or social
malady?


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~
Date: Mon, 21 May 2001 11:23:58 + (GMT)
From: A Trap <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <[EMAIL PROTECTED]>, or you are likely to
be blocked.

Re: Is there a line of defense against Distributed Reflective attacks?

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, Sean
 Donelan writes:
>
>On Sat, 18 Jan 2003, Steven M. Bellovin wrote:
>> theory, trace a single packet.  But the real problem with either idea
>> is this:  suppose that you know, unambiguously and unequivocally, that
>> 750 zombies are attacking you.  What do you do with that information?
>
>The reality is its not 750 zombies, its generally one person controlling
>750 zombies attacking you.

Right -- and neither itrace nor hash-based tracing are going to solve 
that:
>

>   3) Find and convict the true attacker

Hash-based trace might help on that, *if* there was recording of the 
packets to the zombies.  But doing that ubiquitously might -- would? -- 
turn the Internet into a surveillance state.
>

>   2) Track and stop DDOS quickly when it does happen

That's the point of pushback.

>So how do we
>   1) Make end-user systems less vulnerable to being compromised

That's my real goal...

--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)

Re: Is there a line of defense against Distributed Reflective attacks?

[E.B. Dreger]

CLM> Date: Fri, 17 Jan 2003 05:16:43 + (GMT)
CLM> From: Christopher L. Morrow


CLM> Egress filters are a distraction... today you don't have to
CLM> spoof. These are the red herring of 'security'.

They're one component, but not the cure-all.  With an increasing
number of "h4x0r3d" hosts, anti-spoofing's importance certainly
diminishes.  However...


CLM> Hmm, but the smaller the network the easier to filter it
CLM> is... right?

...you said it.  From an equipment standpoint, anyway.


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~
Date: Mon, 21 May 2001 11:23:58 + (GMT)
From: A Trap <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <[EMAIL PROTECTED]>, or you are likely to
be blocked.

Re: Is there a line of defense against Distributed Reflective attacks?

[Sean Donelan]

On Sat, 18 Jan 2003, Steven M. Bellovin wrote:
> theory, trace a single packet.  But the real problem with either idea
> is this:  suppose that you know, unambiguously and unequivocally, that
> 750 zombies are attacking you.  What do you do with that information?

The reality is its not 750 zombies, its generally one person controlling
750 zombies attacking you.

The firefighter approach is not a complete solution.  Putting out the
fire is only part of the answer.  You also need to stop the arsonist
from setting more fires and improve the building codes to reduce the risk.

We need to do more than just waiting for complaints and putting in more
and more null routes all over the network.  On the other hand, ingress
filtering is not a complete solution either. There are some things some
networks can do easier than other networks. But there isn't just one fix
which will work for everyone, or which will solve the problem.  Null
routes alone didn't solve the spam problem, and I doubt it will solve the
DDOS problem.

So how do we
   1) Make end-user systems less vulnerable to being compromised
   2) Track and stop DDOS quickly when it does happen
   3) Find and convict the true attacker

Re: Is there a line of defense against Distributed Reflective attacks?

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, "David G. Andersen" writes:
>
>On Fri, Jan 17, 2003 at 01:11:14AM -0500, David G. Andersen mooed:
>> 
>>   b)  Ioannidis and Bellovin proposed a mechanism called "Pushback"
>>   for automatically establishing router-based rate limits to
>>   staunch packet flows during DoS attacks.
>>   [NDSS 2002, "Implementing Pushback:  Router-Based Defense
>>Against DDoS Attacks"]
>
>  I should have been a bit more accurate here.  The proposal for
>pushback is actually earlier than the implementation paper I cited above:
>
>  "Controlling High Bandwidth Aggregates in the Network.  Ratul Mahajan,
>   Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott
>   Shenker.  July, 2001."
>
>and it also included an internet-draft:
>
>  http://www.aciri.org/floyd/papers/draft-floyd-pushback-messages-00.txt
>
>I believe that Steve Bellovin gave a talk about it at NANOG 21:
>
>  http://www.research.att.com/~smb/talks/pushback-nanog.pdf

Here are the citations to the published papers:

# Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis,
Vern Paxson, and Scott Shenker, Controlling High Bandwidth Aggregates
in the Network, Computer Communications Review 32:3, July 2002,
pp. 62-73.
http://www.research.att.com/~smb/papers/pushback-CCR.ps

# John Ioannidis and Steven M. Bellovin, "Implementing Pushback:
Router-Based Defense Against DDoS Attacks", NDSS, February 2002.
http://www.research.att.com/~smb/papers/pushback-impl.ps

The publication dates notwithstanding, Mahajan et al. came first.

As for the I-D -- we haven't had the cycles to work on it.  There's 
reason to hope that activity will pick up.

Re: I'm not sure its all
  that practical. I don't see that its helpful if it turns off services
 'automatically'

In theory, it doesn't turn off the service to all comers; it turns off 
the service along pipes from which the attack is coming.  Just how good 
a job it will do at stopping collateral damage will depend on how far 
back there are pushback-enabled routers.  If an ISP deployed it, but 
didn't speak pushback to its neighbors, clients on that same ISP's 
network should be able to access the service, as could peers who 
weren't the source of the garbage.  But if some peer is sending an 
OC-12's worth of DDoS packets -- yes, all clients (or transit users) of 
that peer would be shut out.

ICMP traceback is the subject of the IETF itrace working group.
draft-ietf-itrace-03.txt just came out yesterday.  The SPIE hash-based 
traceback is a much cooler idea, but it has some practical limitations, 
including the need to do the trace in more or less real-time (once the 
hash table fills up, it becomes useless), and the need for very large 
amounts of very fast memory on the tracing routers.  There was an IETF 
BoF on it, but the folks behind it haven't been pushing it much.  
(Randy, do you know the status of it?)  Both itrace and hash-based 
trace have some technical issues.  itrace can handle only DoS-type 
attacks, since it's statistical in nature; hash-based traceback can, in 
theory, trace a single packet.  But the real problem with either idea 
is this:  suppose that you know, unambiguously and unequivocally, that 
750 zombies are attacking you.  What do you do with that information?


--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[John Kristoff]

On Sat, Jan 18, 2003 at 08:58:13AM -0500, Daniel Senie wrote:
> While it's nice that router vendors implemented unicast RPF to make 
> configuration in some cases easier, using simple ACLs isn't necessarily 
> hard at the edges either.

It might be nice if all router vendors were able to associate the
interface configured address(es)/nets as a variable for ingress
filters.  So for in the Cisco world, a simple example would be:

  interface Serial0
ip address 192.0.2.1 255.255.255.128
ip access-group 100 in
  !
  interface Serial1
ip address 192.0.2.129 255.255.255.128
ip access-group 100 in
  !
  access-list 100 permit ip $interface-routes any
  access-list 100 deny ip any any

Those sorts of features could make the scaling issue much easier
for large providers and environments where routers may have lots
of interfaces.  An operator could also essentially build tools to
automatically configure/verify configurations this way, but I
think it would be better for the router vendors to do this for us.

John

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Daniel Senie]

At 09:29 PM 1/17/2003, Christopher L. Morrow wrote:




On Fri, 17 Jan 2003, Stewart, William C (Bill), RTLSL wrote:

>
>
>
> -Original Message-
> From: Stewart, William C (Bill), RTLSL
> Sent: Friday, January 17, 2003 5:35 PM
> To: '[EMAIL PROTECTED]'
> Subject: Re: Is there a line of defense against Distributed Reflective
> attacks?
>
>
> Many of these attacks can be mitigated by ISPs that do
> anti-spoofing filtering on input - only accepting packets from user ports

Sure, but this is a proven non-scalable solution. HOWEVER, filtering as
close to the end host is scalable and feasible... do it there, it makes
MUCH more sense to do it there.


Well, let's see... on dialup circuits it should be done and should be a 
no-brainer. After all, ISPs are required (by UUNet at least) to push in 
filters to ensure dialup users can only reach port 25 of that ISPs mail 
servers and be blocked from all other spots. How hard is it to push in one 
more filter that checks the source IP address of the dialup user to ensure 
the address coming from the user is the one assigned?

Sure, dialups are not the only problem, but it's an example of blocking 
close (very close) to the edge.

Each time an ISP sells a T1 with a router and assigns a block of addresses, 
there's an opportunity to configure that router with filters 
(ingress/egress depending on which side you look at it from) and at least 
simple firewalling rules. Is this an expense to the installing ISP, or a 
cost savings in not having to deal with attacks that came from that network 
later? Even when a customer provides the CPE, providing sample 
configurations really costs little and would help. In many cases, the 
vendor supplying that T1 is one of the same companies which also handles 
the "core" so it's REALLY in their best interest to take little steps to 
protect their edges (hard to point fingers from the core and say "it's the 
edge vendor's problem" when you're also the edge vendor in some cases).

While it's nice that router vendors implemented unicast RPF to make 
configuration in some cases easier, using simple ACLs isn't necessarily 
hard at the edges either.

The stumbling block for ingress filtering has always been pretty simple: By 
implementing ingress, the network you save will be someone else's. You have 
to trust that other network operators will implement ingress filtering and 
in so doing save your network. Sadly, folks tend to avoid doing things that 
might help others, and so I continue to wait for a negligence lawsuit to 
wake folks up on this issue.

Eliminating spoofed addresses from the backbone, even if it were possible 
to do 100%, would not eliminate denial of service attacks. The DDoS attacks 
using coordinated "owned" machines demonstrates this. As spoofing becomes 
more difficult, tracing back the source of attacks becomes easier. Network 
operators will still find machines on their networks performing attacks, 
but when that phone call comes from another network with attack details, 
the chances of finding the offending host are much greater. 

FW: Re: Is there a line of defense against Distributed Reflective attacks?

[Stewart, William C (Bill), RTLSL]

-Original Message-
From: Stewart, William C (Bill), RTLSL 
Sent: Friday, January 17, 2003 5:35 PM
To: '[EMAIL PROTECTED]'
Subject: Re: Is there a line of defense against Distributed Reflective
attacks?


Many of these attacks can be mitigated by ISPs that do 
anti-spoofing filtering on input - only accepting packets from user ports
that have IP addresses that are registered for that port,
and not accepting incoming packets from outside their network
that claim to be from inside (except maybe from registered dual-homed hosts.)
This cuts down on many opportunities for forgery,
and means that SYN Flood attacks have a much more limited set of
addresses they can forge (e.g. an attacker or zombie can only 
impersonate other ips sharing its /24 or /29, 
so it can't pretend to be its victim in a reflection or smurf attack.)

That doesn't stop all reflection attacks; a zombie on a network
that doesn't do anti-spoofing can send SYNs to a big server on a
network that also doesn't anti-spoof, so the server will still SYN-ACK
to the victim.  This cuts out a lot of potential zombie/server pairs.
If the server that's being used for reflection is someone the 
victim would often talk to, that's a problem
(you'd rather not block connections to Yahoo),
but if it's someone the victim doesn't care about talking to
(like router23.example.net) you don't mind blocking it.
(Also, why is router23.example.net SYNACKing somebody it doesn't know?)

But there are probably 20 million web servers or Kazaa or IM clients out there,
and probably half of them are on networks that don't spoof-proof,
so blocking those is much tougher than blocking the big ones.
And next stop - reflection attacks using big domain servers...

Re: Is there a line of defense against Distributed Reflective attacks?

[Mike Hogsett]

> > Getting everyone to take security more seriously will most likely never
> > going to happen.. :(
> 
> If this is the case then we are screwed... I hope its not the case, I hope
> that the customer service folks at ISP/NSP's and NOC and Engineering folks
> all keep this in their minds and push their upper management to start
> doing the right thing. It really doesn't cost that much, and its certainly
> cheaper than the cost of outages or lost revenue when your business is
> DoS'd, eh?

When the insurrance companies get involved and charge a larger premium to
corporations not implementing reasonable security policies and procedures
then the situation will improve.

Time and time again I have seen corporations do nothing about a problem
(physical safety, physical security, network security) until it hurts the
bottom line.

Also, a large profile (e.g. in the mainstream media) network security
incident against a large corporation would again bring attention to the
problem.  I think that if a network security incident had brought Enron to
its knees, rather than questionable accounting, people would be taking
more notice of the problem.

 - Michael Hogsett

Re: Is there a line of defense against Distributed Reflective attacks?

[Christopher L. Morrow]

On Fri, 17 Jan 2003, Haesu wrote:

>
> I guess the question of all this is may be... what could be done to
> perhaps... to minimize the impact of DoS attacks pointed at a victim host?

Everyone take security more seriously, have some inhouse security clue,
deal with incidents in a timely manner with a decent response... its about
due diligence, eh?

>
> Getting everyone to take security more seriously will most likely never
> going to happen.. :(
>

If this is the case then we are screwed... I hope its not the case, I hope
that the customer service folks at ISP/NSP's and NOC and Engineering folks
all keep this in their minds and push their upper management to start
doing the right thing. It really doesn't cost that much, and its certainly
cheaper than the cost of outages or lost revenue when your business is
DoS'd, eh?

> -hc
>
>
> On Fri, 17 Jan 2003, Clayton Fiske wrote:
>
> >
> > On Fri, Jan 17, 2003 at 06:38:08PM +, Christopher L. Morrow wrote:
> > >
> > > On Fri, 17 Jan 2003, John Kristoff wrote:
> > >
> > > > impractical).  If the sources can be tracked, perhaps they can be
> > > > stopped (but large  number of sources make this a scaling issue and
> > > > sometimes not all responsible parties are as cooperative or friendly
> > > > as you might like).  There is also the threat of legal response, which
> > > > could encourage networks and hosts to stop and prevent attacks in the
> > >
> > > Legal response to the kiddies has never shown a marked improvement in
> > > their behaviour. Much like the death penalty... its just not a deterrent,
> > > perhaps because its not enforced on a more regular basis, perhaps because
> > > no one thinks about that before they attack.
> >
> > I think John was more referring to legal action against networks and
> > hosts used in the attack.
> >
> > Without getting too much into the likelihood of any legal body actually
> > understanding anyone's role in an attack besides the attacker and the
> > victim, in this land where tobacco companies are sued by smokers who
> > get lung cancer and fast food restaurants are sued by fat people there
> > must be room for such cases as:
> >
> > "XYZ Corp cost me $5mil in lost business. They were negligent in
> > securing their (network|host) from being used as a DoS attack tool
> > despite being informed of such by us both before and during said
> > attack."
> >
> > Perhaps this would cause companies to take security more seriously?
> >
> > Have there been any such cases to date? Did they win?
> >
> > -c
> >
> >
>

Re: Is there a line of defense against Distributed Reflective attacks?

[Kurt Erik Lindqvist]

Having researched this in-depth after reading a rather cursory article
on the topic (http://grc.com/dos/drdos.htm), only two main methods 
come
to my mind to protect against it.

There are a few more methods, some have already mentioned including
something called pushback.  Very few solutions, particularly elegant
ones are widely deployed today.

At some point, sophisticated (or even not so sophisticated) DoS
attacks can be hard to distinguish between valid traffic, particularly
if widely distributed and traffic is as valid looking as any other
bit of traffic.


I have been thinking about this for a while due to a number of reasons. 
But if we look at the source of the attacks and the effects of the 
attacks. I would draw the conclusions that

a) Unless we fix the "end-system" faults that are used for exploits, 
the only way that will scale to handle attacks, is simply to make the 
victims redundant so that you can loose one and loose service for some 
customers so that you can provide service for the remaining customers.

b) In the short to medium term, the only strategy that will work is to 
sacrifice some parts of your service (or host, or customers - depending 
on your role and the type of attack / victim).

Even with the pushback model, the ordinary users will loose to some 
extent. So what would be needed would be a model where to loss of 
bandwidth for end-users are projected to the revenue numbers of the 
service being attacked. Right?



is a practical solution to an attack of this kind, what prevents its
implementation? Lack of awareness, or other?


It is still fairly new and not widely deployed.  Routers need not only
to support it, but also have to be enabled to use it.  It is a fairly
significant change to the way congestion control is currently done in
the Internet and it will take some time before penetration occurs.


Well, you also need to find another "way" (or buffer, or slowdown) to 
send the traffic, which in a way also is a successful attack.


to launch attacks.  Eventually it all boils down to a physical
security problem.  Pricing models can be used to make it expensive


With physical security I would assume actual physical access to the 
system. Anything else to me is "logical" or "system" security. Correct?


- kurtis -

Re: Is there a line of defense against Distributed Reflective attacks?

[John Kristoff]

On Fri, 17 Jan 2003 18:38:08 + (GMT)
"Christopher L. Morrow" <[EMAIL PROTECTED]> wrote:

> > has something called Source Path Isolation Engine (SPIE).  There
> This would be cool to see a design/whitepaper for.. Kelly?

In addition to David's link:

  

> > mentioned, which penalize or limit high rate flows are not widely
> > deployed yet.

> (see above, is this what you really want?)

I happen to like the idea of using something like a RED queue that can
more aggressively drop traffic that is 'out of profile' in times of
congestion.  Like most things, this probably really works best at the
edges of the network, but my gut feeling is that it can be a relatively
fair and elegant approach.  However, it doesn't really solve the DoS
problem, it is really trying to just solve a congestion problem, but it
may have some nice side effects.

For example, I'm planning on trying out some new features from our
border router vendor, where we set a more aggressive RED drop profile
per source IP within our netblock where the source exceeds a configured
transmission rate.  The basic idea being to get the high load offering
sources to slow down in times of high usage/congestion.  Hopefully they
use TCP, but if not, perhaps drop even more aggressively?  If the
capacity is there, high load sources get through.

So, this doesn't stop attacks, but tries to keep some valid data flowing
through a limited egress pipe or in other words, try to provide some
fairness between multiple sources in times of high load.  Of course, if
everyone hits the ENTER key at the same time this does't work, but
hopefully statistically multiplexing is working as well as it always has
for us.

John

Re: Is there a line of defense against Distributed Reflective attacks?

[Haesu]

I guess the question of all this is may be... what could be done to
perhaps... to minimize the impact of DoS attacks pointed at a victim host?

Getting everyone to take security more seriously will most likely never
going to happen.. :(

-hc


On Fri, 17 Jan 2003, Clayton Fiske wrote:

>
> On Fri, Jan 17, 2003 at 06:38:08PM +, Christopher L. Morrow wrote:
> >
> > On Fri, 17 Jan 2003, John Kristoff wrote:
> >
> > > impractical).  If the sources can be tracked, perhaps they can be
> > > stopped (but large  number of sources make this a scaling issue and
> > > sometimes not all responsible parties are as cooperative or friendly
> > > as you might like).  There is also the threat of legal response, which
> > > could encourage networks and hosts to stop and prevent attacks in the
> >
> > Legal response to the kiddies has never shown a marked improvement in
> > their behaviour. Much like the death penalty... its just not a deterrent,
> > perhaps because its not enforced on a more regular basis, perhaps because
> > no one thinks about that before they attack.
>
> I think John was more referring to legal action against networks and
> hosts used in the attack.
>
> Without getting too much into the likelihood of any legal body actually
> understanding anyone's role in an attack besides the attacker and the
> victim, in this land where tobacco companies are sued by smokers who
> get lung cancer and fast food restaurants are sued by fat people there
> must be room for such cases as:
>
> "XYZ Corp cost me $5mil in lost business. They were negligent in
> securing their (network|host) from being used as a DoS attack tool
> despite being informed of such by us both before and during said
> attack."
>
> Perhaps this would cause companies to take security more seriously?
>
> Have there been any such cases to date? Did they win?
>
> -c
>
>

Re: Is there a line of defense against Distributed Reflective attacks?

[Clayton Fiske]

On Fri, Jan 17, 2003 at 06:38:08PM +, Christopher L. Morrow wrote:
> 
> On Fri, 17 Jan 2003, John Kristoff wrote:
> 
> > impractical).  If the sources can be tracked, perhaps they can be
> > stopped (but large  number of sources make this a scaling issue and
> > sometimes not all responsible parties are as cooperative or friendly
> > as you might like).  There is also the threat of legal response, which
> > could encourage networks and hosts to stop and prevent attacks in the
> 
> Legal response to the kiddies has never shown a marked improvement in
> their behaviour. Much like the death penalty... its just not a deterrent,
> perhaps because its not enforced on a more regular basis, perhaps because
> no one thinks about that before they attack.

I think John was more referring to legal action against networks and
hosts used in the attack.

Without getting too much into the likelihood of any legal body actually
understanding anyone's role in an attack besides the attacker and the
victim, in this land where tobacco companies are sued by smokers who
get lung cancer and fast food restaurants are sued by fat people there
must be room for such cases as:

"XYZ Corp cost me $5mil in lost business. They were negligent in
securing their (network|host) from being used as a DoS attack tool
despite being informed of such by us both before and during said
attack."

Perhaps this would cause companies to take security more seriously?

Have there been any such cases to date? Did they win?

-c

Re: Is there a line of defense against Distributed Reflective attacks?

[Christopher L. Morrow]

On Fri, 17 Jan 2003, David G. Andersen wrote:

>
> On Fri, Jan 17, 2003 at 06:38:08PM +, Christopher L. Morrow mooed:
> >
> > > has something called Source Path Isolation Engine (SPIE).  There
> >
> > This would be cool to see a design/whitepaper for.. Kelly?
>
> The long version of the SPIE paper is at:
>
>   http://nms.lcs.mit.edu/~snoeren/papers/spie-ton.html
>
> The two second summary that I'll probably botch:  SPIE keeps a (very tiny)
> hash of each packet that the router sees.  If you get an attack packet,
> you can hand it to the router and ask "From where did this come?"
> And then do so to the next router, and so on.  The beauty of the scheme
> is that you can use it to trace single-packet DoS or security attacks
> as well as flooding attacks.  The downside is that it's hardware.

This sounds like Steve Bellovin's thing called 'icmp traceback' where you
make up a new icmp type message and send that query through the system,
hop by hop... though I say that after only reading your blurb, not the
paper :)

As I recall the icmp thing (that might NOT have been all steve, I just
heard him present it once) was a problem from a memory and processing
perspective, not to mention 'no router does this today' so its a 3 year
off feature addition... nevermind the protocol additions :)

Re: Is there a line of defense against Distributed Reflective attacks?

[David G. Andersen]

On Fri, Jan 17, 2003 at 06:38:08PM +, Christopher L. Morrow mooed:
> 
> > has something called Source Path Isolation Engine (SPIE).  There
> 
> This would be cool to see a design/whitepaper for.. Kelly?

The long version of the SPIE paper is at:

  http://nms.lcs.mit.edu/~snoeren/papers/spie-ton.html

The two second summary that I'll probably botch:  SPIE keeps a (very tiny)
hash of each packet that the router sees.  If you get an attack packet, 
you can hand it to the router and ask "From where did this come?"
And then do so to the next router, and so on.  The beauty of the scheme
is that you can use it to trace single-packet DoS or security attacks
as well as flooding attacks.  The downside is that it's hardware.

  -Dave
 
-- 
work: [EMAIL PROTECTED]  me:  [EMAIL PROTECTED]
  MIT Laboratory for Computer Science   http://www.angio.net/
  I do not accept unsolicited commercial email.  Do not spam me.

Re: Is there a line of defense against Distributed Reflective attacks?

[Christopher L. Morrow]

On Fri, 17 Jan 2003, John Kristoff wrote:

>  ---SNIP---
>
> It doesn't have to be forged, that step just makes it harder to
> trace back to the original source.  There are some solutions that
> try to deal with this, including an IETF working group called
> itrace.  UUNET also developed something called CenterTrack.  BBN

Wow, again.. Centertrack is a nice idea, but not feasible in a large scale
network... Aside from this, why would you tunnel 100kpps of attack traffic
anyway, why not just drop it, find the source and acl it there?

> has something called Source Path Isolation Engine (SPIE).  There

This would be cool to see a design/whitepaper for.. Kelly?

>   --- SNIP ---
>
> ECN cannot be an effective solution unless you trust all edge hosts,
> including the attacking hosts, will use it.  Since it is a mechanism
> that is used to signal transmitting hosts to slow down, attackers can
> choose not to implement ECN or ignore ECN signals.  Unless you could
> control all the ends hosts, and as long as there is intelligence in
> the end hosts a user could modify, this won't help.
>

Attacking hosts never behave nicely and rarely follow RFC's :) This is
another reason that things like rate-limits are only minutely effective at
stopping DoS attacks in a meaningful manner. (Unless you just want to
rate-limit all ICMP or something, which is a fine solution in some
instances, Jared@verio has written on this already)

> ---SNIP ---
>
> Many are reactive, often because you can't know what a DoS is until
> its happening.  In that case, providers can use BGP advertisements
> to blackhole hosts or networks (though that can essentially finish
> the job the attacker started).  If attacks target a DNS name, the

This is true, a blachole does finish the attackers job, but consider that
a very high number of attacks are on hosts with DNS names like:
dekadens.ghettot.org, death.hackmania.net, you.know.you.wanna.rapebob.com,
DEATHCRUSH.COM which are obviously just vhosts on a shell box. In these
cases no one really cares if the ip is blackholed, least of all the person
that owns the ip, he just wants to get back on his channel :)

> end hosts can change their IP address (though DNS servers may still
> get pounded).  If anything unique about the attack traffic can be

Almost all DoS tools will take a ip number for whom/what to attack, very
few will take a hostname and resolve it, once. NONE resolve for each
packet (or none today in normal use)... So, rotating to a new ip number
and dropping the attacked one is still a valid fix, provided your TTL
isn't more than a few minutes long.

> determined, filters or rate limits can be placed as close to the
> sources as possible to block it (and that fails as attack traffic
> becomes increasingly dispersed and identical to valid traffic).  If
> more capacity than attack traffic uses can be obtained, the attack
> could be ignored or mitigated (but this might be expensive and
> impractical).  If the sources can be tracked, perhaps they can be
> stopped (but large  number of sources make this a scaling issue and
> sometimes not all responsible parties are as cooperative or friendly
> as you might like).  There is also the threat of legal response, which
> could encourage networks and hosts to stop and prevent attacks in the

Legal response to the kiddies has never shown a marked improvement in
their behaviour. Much like the death penalty... its just not a deterrent,
perhaps because its not enforced on a more regular basis, perhaps because
no one thinks about that before they attack.

> future (this could have negative impacts for the openness of the net
> and potentially be difficult to enforce when multiple jurisdiations
> are involved).
>
> >From a proactive approach, hosts could be secured to prevent an
> outsider from using it for attack.  The sorry state of system
> security doesn't seem to be getting better and even if we had perfect
> end system security, an attacker could still use their own system(s)
> to launch attacks.  Eventually it all boils down to a physical

This is something else that bares some thought. Why all this dicussion
about 'isps should fix this' when 99% of the time its an end system
problem? Why not push back all this legal retoric on the system
manufacturers? Why not hold them responsible for the shoddy code and
workmanship? How is this any different than Ford and teir exploding gas
tanks? (yes.. bad example since it was the news group that made them
explode)

> security problem.  Pricing models can be used to make it expensive
> to send attack traffic.  How to do the billing and who to bill
> might not be so easy.   ...and there may always be a provider who
> charges less.  Rate limits can be used on a per source, per protocol
> or per flow basis.  Given enough hosts and not enough deployment in
> the network, this has yet to be effective.  Similarly, network
> based queueing mechanisms (e.g. RED), or pushback approaches already

While Steve Bellovin's id

Re: Is there a line of defense against Distributed Reflective attacks?

[Christopher L. Morrow]

On Fri, 17 Jan 2003, Vadim Antonov wrote:

>
>
> > Do we need te equivalent of a dog bite law for computers.  If your
> > computer attacks another computer, the owner is responsible.  File a
> > police report, and the ISP will give the results of the *57 trace to
> > the local police.  The police can then put down the rabid computer,
> > permanently.
>
> Good in theory... in practice police has more important things to do. Like
> catching pot smokers.

HAHAHAHA :) Very funny. Seriously though, police can't remove access to
the system for individuals simply because they didn't turn off whatever MS
thing turns on port 445 by default... This gets back to the drivers'
license for internet access/computer use. A nice idea, not practical and
not enforcable :( And... not the solution to most of the problems.

Keep in mind that a majority of the attacks are NOT against 'high profile'
sites/customers... so many times a null route is a perfectly acceptable
solutions.

Re: Is there a line of defense against Distributed Reflective attacks?

[Richard Irving]

Vadim Antonov wrote:

Caution this won't program a router:

>The police can then put down the rabid computer,
> > permanently.
> Good in theory... in practice police has more important things to do. Like
> catching pot smokers.

  Not -=too=- much problem soon, thanks to the USA "Patriot" act.

 In conjunction with the new Mother^^HomeLand Security design,
The DEA will be considered part of the HomeLand Security team.

 This means they will have access to all the "extra-constitutional" 
monitoring/invasion of privacy activity that we deploy 
against citizens^terrorists for "National Defense",
in such "Patriotic" programs as "CoinTelPro".

I.E.: Tap your phone, monitor your email/internet activity, 
"sneak and peak" into your house, access you financial transactions, 
(bank and credit card), access your doctor's files, question your lawyer, 
arrest you without "Miranda", incarcerate you indefinitely without a phone call, 
or a trial, and finally and best of all, the brand new "Torture a confession" 
information gathering methods... (See: Chavez v Martinez )

all without a -=warrant=-.

(I hear "probable cause" has actually been -stretched- to include
"politically active people". It seems such people -change- the laws, 
and government, hence are a matter of "National Security". So, therefore,
being a Democrat now qualifies you for "CoinTelPro", just like Nixon originally 
decided in "Watergate".)

 After all, Homeland security will be sharing it's data with every
member of the Division, as part of it's charter, and the Intelligence
Agencies will be used to gather it, (-=against=- theirs).

  It's a matter of "National Security", you know.

 Gotta Keep you safe from those Pot Smokers, after all!

 Why, We can't have "Saddam Bin Laden" hiding out 
in North Korea with "Nuclear Plague" devices, 
and doing "doobs" with an American Citizen.. plotting our
Mass Destruction,

 Now can we ?!

 ;)

PPS: Don't worry "Citizen", the Executive Branch funded Churches will
have plenty of -=other=- things for you to do, that are wholesome,
and healthy.

 Like egg tossing, and gunny sack races, in the "Name of Jesus".

- The Church Lady

:P


> --vadim

"Only Criminals don't want to be monitored" - Nazi Youth Slogan.

  http://www.aclu.org

  http://www.whitehouse.org

Re: Is there a line of defense against Distributed Reflective attacks?

[Vadim Antonov]

 
> Do we need te equivalent of a dog bite law for computers.  If your
> computer attacks another computer, the owner is responsible.  File a
> police report, and the ISP will give the results of the *57 trace to
> the local police.  The police can then put down the rabid computer,
> permanently.

Good in theory... in practice police has more important things to do. Like
catching pot smokers. 

--vadim

Re: Is there a line of defense against Distributed Reflective attacks?

[John Kristoff]

On Thu, Jan 16, 2003 at 08:48:03PM -0500, Brad Laue wrote:
> Having researched this in-depth after reading a rather cursory article
> on the topic (http://grc.com/dos/drdos.htm), only two main methods come
> to my mind to protect against it.

There are a few more methods, some have already mentioned including
something called pushback.  Very few solutions, particularly elegant
ones are widely deployed today.

At some point, sophisticated (or even not so sophisticated) DoS
attacks can be hard to distinguish between valid traffic, particularly
if widely distributed and traffic is as valid looking as any other
bit of traffic.

> By way of quick review, such an attack is carried out by forging the
> source address of the target host and sending large quantities of
> packets toward a high-bandwidth middleman or several such.

It doesn't have to be forged, that step just makes it harder to
trace back to the original source.  There are some solutions that
try to deal with this, including an IETF working group called
itrace.  UUNET also developed something called CenterTrack.  BBN
has something called Source Path Isolation Engine (SPIE).  There
are probably other things I'm forgetting, but generally are similar
in concept to these.

> To my knowledge the network encompassing the target host is largely
> unable to protect itself other than 'poisoning' the route to the host in
> question. This succeeds in minimizing the impact of such an attack on

This is true, the survivability of the victim largely depends on
the security of everyone else, which makes solving the problem so
exceptionally difficult.

> the network itself, but also acheives the end of removing the target
> host from the Internet entirely. Additionally, if the targetted host is
> a router, little if anything can be done to stop that network from going
> down.

I'm not sure I fully understand what you're saying here, but a router
can be effectively be taken out of service as any other end host or
network can by simply overwhelming it with packets to process (for itself
or to be forwarded).

> One method that comes to mind that can slow the incoming traffic in a
> more distributed way is ECN (explicit congestion notification), but it
> doesn't seem as though the implementation of ECN is a priority for many
> small or large networks (correct me if I'm wrong on this point). If ECN

ECN cannot be an effective solution unless you trust all edge hosts,
including the attacking hosts, will use it.  Since it is a mechanism
that is used to signal transmitting hosts to slow down, attackers can
choose not to implement ECN or ignore ECN signals.  Unless you could
control all the ends hosts, and as long as there is intelligence in
the end hosts a user could modify, this won't help.

> is a practical solution to an attack of this kind, what prevents its
> implementation? Lack of awareness, or other?

It is still fairly new and not widely deployed.  Routers need not only
to support it, but also have to be enabled to use it.  It is a fairly
significant change to the way congestion control is currently done in
the Internet and it will take some time before penetration occurs.

> Also, are there other methods of protecting a targetted network from
> losing functionality during such an attack?

Many are reactive, often because you can't know what a DoS is until
its happening.  In that case, providers can use BGP advertisements
to blackhole hosts or networks (though that can essentially finish
the job the attacker started).  If attacks target a DNS name, the
end hosts can change their IP address (though DNS servers may still
get pounded).  If anything unique about the attack traffic can be
determined, filters or rate limits can be placed as close to the
sources as possible to block it (and that fails as attack traffic
becomes increasingly dispersed and identical to valid traffic).  If
more capacity than attack traffic uses can be obtained, the attack
could be ignored or mitigated (but this might be expensive and
impractical).  If the sources can be tracked, perhaps they can be
stopped (but large  number of sources make this a scaling issue and
sometimes not all responsible parties are as cooperative or friendly
as you might like).  There is also the threat of legal response, which
could encourage networks and hosts to stop and prevent attacks in the
future (this could have negative impacts for the openness of the net
and potentially be difficult to enforce when multiple jurisdiations
are involved).

>From a proactive approach, hosts could be secured to prevent an
outsider from using it for attack.  The sorry state of system
security doesn't seem to be getting better and even if we had perfect
end system security, an attacker could still use their own system(s)
to launch attacks.  Eventually it all boils down to a physical
security problem.  Pricing models can be used to make it expensive
to send attack traffic.  How to do the billing and who to bill
might not be so easy

Re: Is there a line of defense against Distributed Reflective attacks?

[Sean Donelan]

> > What kinds of mechanisms exist for keeping track of the origins of
> > something of this nature?
>
> Normally that's not very productive as they are mostly owned boxes that
> will be rebuilt and reowned in days :(

We could automate the tracing process, like *57 customer initiated trace
on the telephone network ($5 per use).  But then what?

You can track the sources as quickly as you can, but part of the question
becomes how long and how many sources do you keep blocked once you have
tracked them.  Is it one strike and you're out forever.  If 80% of the
attacks are not spoofed, why not create yet another RBL and keep adding
more and more addresses?  If you remove the filter after the attack stops,
it will just come back or they'll choose a different victim.

Do we need te equivalent of a dog bite law for computers.  If your
computer attacks another computer, the owner is responsible.  File a
police report, and the ISP will give the results of the *57 trace to
the local police.  The police can then put down the rabid computer,
permanently.

Re: Is there a line of defense against Distributed Reflective attacks?

[David G. Andersen]

On Fri, Jan 17, 2003 at 01:11:14AM -0500, David G. Andersen mooed:
> 
>   b)  Ioannidis and Bellovin proposed a mechanism called "Pushback"
>   for automatically establishing router-based rate limits to
>   staunch packet flows during DoS attacks.
>   [NDSS 2002, "Implementing Pushback:  Router-Based Defense
>Against DDoS Attacks"]

  I should have been a bit more accurate here.  The proposal for
pushback is actually earlier than the implementation paper I cited above:

  "Controlling High Bandwidth Aggregates in the Network.  Ratul Mahajan,
   Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott
   Shenker.  July, 2001."

and it also included an internet-draft:

  http://www.aciri.org/floyd/papers/draft-floyd-pushback-messages-00.txt

I believe that Steve Bellovin gave a talk about it at NANOG 21:

  http://www.research.att.com/~smb/talks/pushback-nanog.pdf

  -Dave (I'll learn not to send mail past midnight some day)

-- 
work: [EMAIL PROTECTED]  me:  [EMAIL PROTECTED]
  MIT Laboratory for Computer Science   http://www.angio.net/
  I do not accept unsolicited commercial email.  Do not spam me.

Re: Is there a line of defense against Distributed Reflective attacks?

[Hank Nussbacher]

At 12:00 AM 17-01-03 -0500, [EMAIL PROTECTED] wrote:

nsp-security now has 277 members and gets many of these warnings and 
alerts.  For further details:

http://puck.nether.net/mailman/listinfo/nsp-security

-Hank


We see a *LOT* of postings here "anybody know a clueful at XYZ, we've been
DDoS'ed for 36 hours"
--
Valdis Kletnieks

Re: Is there a line of defense against Distributed Reflective attacks?

[David G. Andersen]

On Thu, Jan 16, 2003 at 08:48:03PM -0500, Brad Laue mooed:
> 
> By way of quick review, such an attack is carried out by forging the
> source address of the target host and sending large quantities of
> packets toward a high-bandwidth middleman or several such.
> 
> One method that comes to mind that can slow the incoming traffic in a
> more distributed way is ECN (explicit congestion notification), but it
> doesn't seem as though the implementation of ECN is a priority for many

   No.  ECN is, first and foremost, an optimization for TCP so that
it doesn't have to drop packets before cutting its rate back when
there's congestion in the network.  A zombie or malicious host would
just ignore the ECN bit - and the attacks you're describing never
reach the point where a host's flow control is involved.

   You might be thinking of source quench, but that's really not an
option with today's networks.

  Some other conventional alternatives have been discussed already
(ingress/egress filtering, etc).  Some less conventional options:
[Warning:  Some researchy stuff ahead]

  a)  Mazu and Arbor provide products that can detect and
  optionally shape traffic to avoid DDoS attacks.  Must be
  installed in-line to shape, and can't (AFAIK) shape at
  really really high line speeds.  But for reasonable things
  like, maybe gigabit and under, I think they can provide
  pretty reasonable protection.  Don't quote me for sure on the rates.

  b)  Ioannidis and Bellovin proposed a mechanism called "Pushback"
  for automatically establishing router-based rate limits to
  staunch packet flows during DoS attacks.
  [NDSS 2002, "Implementing Pushback:  Router-Based Defense
   Against DDoS Attacks"]

  c)  I stole some ideas from a sigcomm paper this year ("SOS:  Secure
  Overlay Services") to propose a proactive DDoS resistance scheme
  I term Mayday.  The basic idea is that you pick some secret
  attributes of your packets - destination port, destination
  address, etc. - and only allow packets with "the right values"
  through.  You then tell that secret to someone like Akamai,
  and have them proxy all requests to you.  Then you ask your
  upstream to proactively deny all packets without the magical
  values.

  http://nms.lcs.mit.edu/papers/mayday-usits2003.html

  It's a little weird, but I'd be willing to bet that one of
  the big overlay providers like Akamai could actually pull it off.
  The advantage of this approach is that you can implement it
  without fixing the whole world, unlike egress filters.  The
  downside is that you need someone with lots of nodes.

  I'd be interested in hearing folk's comments about the mayday 
  paper, btw, since I have to babble about it at a conference
  in a month. ;-)

  -Dave

-- 
work: [EMAIL PROTECTED]  me:  [EMAIL PROTECTED]
  MIT Laboratory for Computer Science   http://www.angio.net/
  I do not accept unsolicited commercial email.  Do not spam me.

Re: Is there a line of defense against Distributed Reflective attacks?

[Valdis . Kletnieks]

On Fri, 17 Jan 2003 00:03:56 EST, hc said:
> It will help of course, but really not The solution... Or is there one?

In this industry, anybody who advertises The Solution should automatically
be considered a snake oil salesman.  There's no One Great Answer, because
there's more than one question.  There's a LOT of things that would help:
 
Ingress filtering
Egress filtering
Clued incident response teams
Systems not shipped insecure by default.

etc etc etc.  You've heard them all, I've said them all, they all address
parts of the problem.  Nothing addresses all of it.

Ingress/egress filtering would help in some cases of a DDoS packet flood.

Ingress/egress filtering doesn't do squat when Nimda is on a burn.
-- 
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech




msg08035/pgp0.pgp
Description: PGP signature

Re: Is there a line of defense against Distributed Reflective attacks?

[Travis Pugh]

According to hc <[EMAIL PROTECTED]>


> Of course, egress filters don't
> solve the issue. But considering most script kiddies' intelligence
level
> is limited, it will help at least a bit. :-) The problem with egress
> filtering is that it's mostly applicable at the end tier2+ level,
not at
> the backbones, which means a lot of ISP's who are oblivious on what
it
> is (or some cases where egress filter breaks their network setup).

On the subject of "help a bit", if service providers were to require,
by default, either an egress filter (correctly configured) on the CPE
router or an ingress filter on their own customer aggregation router
it might do some good ...

Cheers.

-travis

>
> -hc
>

Re: Is there a line of defense against Distributed Reflective attacks?

[Christopher L. Morrow]

On Fri, 17 Jan 2003, hc wrote:

> >
> >
> >>
> >
> > Good point.
> >
> > I suppose another basic but effective method of prevention would be
> > egress filtering. An increasing minority of network providers are
> > instituting it, but it doesn't seem like it will be a widespread thing
> > in the near-term.
> >
>
> Yes, but egress filtering is only effective by far. Anyone can forge the
> source to an IP address that belongs to one of the /16's a provider
> advertises.

filter close to the end host, this limits (mostly) to the local /24 or /25
or /2(>5)...

>
> It will help of course, but really not The solution... Or is there one?
>

haha, there isn't one :( since even with no spoofing you can muster an
army of 100,000 IIS servers still scanning for nimda :(

Re: Is there a line of defense against Distributed Reflective attacks?

[hc]

  
Yup, and its a shame that that is the case :( Perhaps they should become
UUNET customers and then they can just call us? :) People move for cheap
bandwidth alot, I wonder how the value proposition works out when you are
down and paying SLA's to your customers due to a hosted dalnet server
getting attacked for 36 hours?
  

Everything is always the $$$ issue... :)

-hc

Re: Is there a line of defense against Distributed Reflective attacks?

[Christopher L. Morrow]

On Thu, 16 Jan 2003, hc wrote:

>
> >
> >Normally that's not very productive as they are mostly owned boxes that
> >will be rebuilt and reowned in days :(
> >
> I agree, keeping track of the attacks would not be very useful nor
> helpful. I bet if more ISP's would implement egress filtering on their
> border routers, it'd help quite a bit. Of course, egress filters don't
> solve the issue. But considering most script kiddies' intelligence level

Egress filters are a distraction... today you don't have to spoof. These
are the red herring of 'security'.

THOUGH, all that said, having all networks, CUSTOMER NETWORKS, filtered as
close to end systems as possible would be a nice thing :) As Rob Thomas
points out 80% (or some huge number) of attacks are spoofed source
attacks. Every leaf network should be able to do the minimum urpf strict
on all ether or gig link... that way you don't even have to take the hit
of a acl to process the inbound traffic :)

This is most definitely best done as close to the end machines as possible
though, the traffic loads there are just much more managable... and it
reduces the possible spoofage to the lowest limit possible.

> is limited, it will help at least a bit. :-) The problem with egress
> filtering is that it's mostly applicable at the end tier2+ level, not at
> the backbones, which means a lot of ISP's who are oblivious on what it
> is (or some cases where egress filter breaks their network setup).
>

Hmm, but the smaller the network the easier to filter it is... right?

Re: Is there a line of defense against Distributed Reflective attacks?

[hc]

My previous experience with UUNET security team was excellent dealing with
DoS.

I am not here to point fingers, but my DoS-response experience with various
Tier-2/3 level ISP's was like talking to some K-12 teacher who barely knows
what internet is. It really takes hours to get thru and reach a competent
engineer on the phone. And that's the major frustration of a LOT customers
getting DoSed/DDoSed/DrDoSed off the planet everyday.

-hc

[EMAIL PROTECTED] wrote:

  On Fri, 17 Jan 2003 04:29:07 GMT, "Christopher L. Morrow" said:
  
  

  How quickly is quickly? Often times as has been my recent experience
(part of my motivation for posting this thread) the flood is over before
one can get a human being on the phone.
  

Once the call arrives and the problem is deduced it can be tracked in a
matter of minutes, like 6-10 at the fastest...

  
  
Yes, but *YOUR* crew has a reputation for having a clue.  I'm willing to
bet that "once the call arrives" is a challenge for a lot of smaller ISPs
that don't even *HAVE* a security team, and "the problem is deduced" is
a challenge for the ones that have a team that don't have a clue.

We see a *LOT* of postings here "anybody know a clueful at XYZ, we've been
DDoS'ed for 36 hours"
  

Re: Is there a line of defense against Distributed Reflective attacks?

[Christopher L. Morrow]

On Fri, 17 Jan 2003 [EMAIL PROTECTED] wrote:

> On Fri, 17 Jan 2003 04:29:07 GMT, "Christopher L. Morrow" said:
> >
> > > How quickly is quickly? Often times as has been my recent experience
> > > (part of my motivation for posting this thread) the flood is over before
> > > one can get a human being on the phone.
> >
> > Once the call arrives and the problem is deduced it can be tracked in a
> > matter of minutes, like 6-10 at the fastest...
>
> Yes, but *YOUR* crew has a reputation for having a clue.  I'm willing to

We appreciate the kind words :)

> bet that "once the call arrives" is a challenge for a lot of smaller ISPs
> that don't even *HAVE* a security team, and "the problem is deduced" is
> a challenge for the ones that have a team that don't have a clue.
>

This gets down to something I've harped on for a while now... if you drive
a car you must have a license and pass a test. If you run a network on the
internet you really should have 24/7 security clued person(s) available to
stop/track/mitigate security issues.

> We see a *LOT* of postings here "anybody know a clueful at XYZ, we've been
> DDoS'ed for 36 hours"


Yup, and its a shame that that is the case :( Perhaps they should become
UUNET customers and then they can just call us? :) People move for cheap
bandwidth alot, I wonder how the value proposition works out when you are
down and paying SLA's to your customers due to a hosted dalnet server
getting attacked for 36 hours?

Re: Is there a line of defense against Distributed Reflective attacks?

[hc]

Good point.

I suppose another basic but effective method of prevention would be 
egress filtering. An increasing minority of network providers are 
instituting it, but it doesn't seem like it will be a widespread thing 
in the near-term.


Yes, but egress filtering is only effective by far. Anyone can forge the 
source to an IP address that belongs to one of the /16's a provider 
advertises.

It will help of course, but really not The solution... Or is there one?

-hc

Re: Is there a line of defense against Distributed Reflective attacks?

[Valdis . Kletnieks]

On Fri, 17 Jan 2003 04:29:07 GMT, "Christopher L. Morrow" said:
> 
> > How quickly is quickly? Often times as has been my recent experience
> > (part of my motivation for posting this thread) the flood is over before
> > one can get a human being on the phone.
> 
> Once the call arrives and the problem is deduced it can be tracked in a
> matter of minutes, like 6-10 at the fastest...

Yes, but *YOUR* crew has a reputation for having a clue.  I'm willing to
bet that "once the call arrives" is a challenge for a lot of smaller ISPs
that don't even *HAVE* a security team, and "the problem is deduced" is
a challenge for the ones that have a team that don't have a clue.

We see a *LOT* of postings here "anybody know a clueful at XYZ, we've been
DDoS'ed for 36 hours"
-- 
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech




msg08027/pgp0.pgp
Description: PGP signature

Re: Is there a line of defense against Distributed Reflective attacks?

[hc]

  
Normally that's not very productive as they are mostly owned boxes that
will be rebuilt and reowned in days :(

I agree, keeping track of the attacks would not be very useful nor helpful.
I bet if more ISP's would implement egress filtering on their border routers,
it'd help quite a bit. Of course, egress filters don't solve the issue. But
considering most script kiddies' intelligence level is limited, it will help
at least a bit. :-) The problem with egress filtering is that it's mostly
applicable at the end tier2+ level, not at the backbones, which means a lot
of ISP's who are oblivious on what it is (or some cases where egress filter
breaks their network setup).

-hc

Re: Is there a line of defense against Distributed Reflective attacks?

[Brad Laue]

Christopher L. Morrow wrote:


On Thu, 16 Jan 2003, Brad Laue wrote:



[ .. ]



Doesn't ECN depend on 'well behaved' traffic? In other words, wouldn't it
require the hosts sending traffic to slow down? So... even if the hosts
slowed down, 10,000 hosts still is a high traffic rate at the end point.
:(



Good point.

I suppose another basic but effective method of prevention would be 
egress filtering. An increasing minority of network providers are 
instituting it, but it doesn't seem like it will be a widespread thing 
in the near-term.

--
// -- http://www.BRAD-X.com/ -- //

Re: Is there a line of defense against Distributed Reflective attacks?

[Christopher L. Morrow]

On Thu, 16 Jan 2003, Brad Laue wrote:

> Christopher L. Morrow wrote:
> > On Thu, 16 Jan 2003, hc wrote:
> >
> >
> >>>
> >>>
> >>>Because syn cookies are available on routing gear??? Either way syn
> >>>cookies are not going to keep the device from sending a 'syn-ack' to the
> >>>'originating host'.
> >>>
> >>>
> >>
> >>True.. At least it will have some stop in the amount of attacks.
> >>
> >>It is quite unfortunate that it is impossible to control the 'ingress'
> >>point of attack flow. Whenever there is a DoS attack, the only way to
> >>drop it is to null route it (the method you have devised) over BGP
> >>peering, but that knocks the victim host off the 'net... :-(
> >>
> >
> >
> > Sure, but this like all other attacks of this sort can be tracked... and
> > so the pain is over /quickly/ provided you can track it quickly :) Also,
> > sometimes null routes are ok.
>
> How quickly is quickly? Often times as has been my recent experience
> (part of my motivation for posting this thread) the flood is over before
> one can get a human being on the phone.

Once the call arrives and the problem is deduced it can be tracked in a
matter of minutes, like 6-10 at the fastest...

>
> What kinds of mechanisms exist for keeping track of the origins of
> something of this nature?
>

Normally that's not very productive as they are mostly owned boxes that
will be rebuilt and reowned in days :(

Re: Is there a line of defense against Distributed Reflective attacks?

[Brad Laue]

Christopher L. Morrow wrote:

On Thu, 16 Jan 2003, hc wrote:





Because syn cookies are available on routing gear??? Either way syn
cookies are not going to keep the device from sending a 'syn-ack' to the
'originating host'.




True.. At least it will have some stop in the amount of attacks.

It is quite unfortunate that it is impossible to control the 'ingress'
point of attack flow. Whenever there is a DoS attack, the only way to
drop it is to null route it (the method you have devised) over BGP
peering, but that knocks the victim host off the 'net... :-(




Sure, but this like all other attacks of this sort can be tracked... and
so the pain is over /quickly/ provided you can track it quickly :) Also,
sometimes null routes are ok.


How quickly is quickly? Often times as has been my recent experience 
(part of my motivation for posting this thread) the flood is over before 
one can get a human being on the phone.

What kinds of mechanisms exist for keeping track of the origins of 
something of this nature?

--
// -- http://www.BRAD-X.com/ -- //

Re: Is there a line of defense against Distributed Reflective attacks?

[Christopher L. Morrow]

On Thu, 16 Jan 2003, hc wrote:

> >
> >
> >
> >Because syn cookies are available on routing gear??? Either way syn
> >cookies are not going to keep the device from sending a 'syn-ack' to the
> >'originating host'.
> >
> >
> True.. At least it will have some stop in the amount of attacks.
>
> It is quite unfortunate that it is impossible to control the 'ingress'
> point of attack flow. Whenever there is a DoS attack, the only way to
> drop it is to null route it (the method you have devised) over BGP
> peering, but that knocks the victim host off the 'net... :-(
>

Sure, but this like all other attacks of this sort can be tracked... and
so the pain is over /quickly/ provided you can track it quickly :) Also,
sometimes null routes are ok.

Re: Is there a line of defense against Distributed Reflective attacks?

[hc]

  
Because syn cookies are available on routing gear??? Either way syn
cookies are not going to keep the device from sending a 'syn-ack' to the
'originating host'.
  

True.. At least it will have some stop in the amount of attacks.

It is quite unfortunate that it is impossible to control the 'ingress' point
of attack flow. Whenever there is a DoS attack, the only way to drop it is
to null route it (the method you have devised) over BGP peering, but that
knocks the victim host off the 'net... :-(

-hc

Re: Is there a line of defense against Distributed Reflective attacks?

[Rob Thomas]

] Because syn cookies are available on routing gear??? Either way syn
] cookies are not going to keep the device from sending a 'syn-ack' to the
] 'originating host'.

Agreed.  SYN cookies also won't drain a pipe full of malevolent packets.
Any response the target is able to send during a TCP amplification
attack is a bonus prize, but is not required for the attack to succeed.

-- 
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);

Re: Is there a line of defense against Distributed Reflective attacks?

[Christopher L. Morrow]

On Thu, 16 Jan 2003, hc wrote:

>
> This type of DRDOS (Distributed Reflective Denial of Service Attack) is
> well commonly-known to both network operators, and as well as many
> script-kiddies.
>
> By forging the source IP address of the attack to the victim's IP, and
> attacking internet backbone routers, this creates an immediate,
> devastating, yet very effective attack. Backbone routers, seeing this as
> legitimate packets simply reply back to the victim.
>
> I guess the question is, what are the internet backbones doing these
> days to evade the outcome of reflected DoS attacks? Are they simply
> going to let their routers be the middleman to kick off innocent hosts?
>
> SYN cookies and various other methods to control DoS attacks are only

Because syn cookies are available on routing gear??? Either way syn
cookies are not going to keep the device from sending a 'syn-ack' to the
'originating host'.

> used by smart ISP's.. And considering most ISP's do not even care about
> egress filters, I don't believe any of these methods will work for quite
> some time to come.
>
> -hc

Re: Is there a line of defense against Distributed Reflective attacks?

[Christopher L. Morrow]

On Thu, 16 Jan 2003, Brad Laue wrote:

>
> Having researched this in-depth after reading a rather cursory article
> on the topic (http://grc.com/dos/drdos.htm), only two main methods come
> to my mind to protect against it.
>
> By way of quick review, such an attack is carried out by forging the
> source address of the target host and sending large quantities of
> packets toward a high-bandwidth middleman or several such.
>
> To my knowledge the network encompassing the target host is largely
> unable to protect itself other than 'poisoning' the route to the host in
> question. This succeeds in minimizing the impact of such an attack on
> the network itself, but also acheives the end of removing the target
> host from the Internet entirely. Additionally, if the targetted host is
> a router, little if anything can be done to stop that network from going
> down.
>
> One method that comes to mind that can slow the incoming traffic in a
> more distributed way is ECN (explicit congestion notification), but it
> doesn't seem as though the implementation of ECN is a priority for many
> small or large networks (correct me if I'm wrong on this point). If ECN
> is a practical solution to an attack of this kind, what prevents its
> implementation? Lack of awareness, or other?

Doesn't ECN depend on 'well behaved' traffic? In other words, wouldn't it
require the hosts sending traffic to slow down? So... even if the hosts
slowed down, 10,000 hosts still is a high traffic rate at the end point.
:(

>
> Also, are there other methods of protecting a targetted network from
> losing functionality during such an attack?
>
> Insights welcome.
>
> Brad
>
> --
> // -- http://www.BRAD-X.com/ -- //
>
>

Re: Is there a line of defense against Distributed Reflective attacks?

[hc]

This type of DRDOS (Distributed Reflective Denial of Service Attack) is 
well commonly-known to both network operators, and as well as many 
script-kiddies.

By forging the source IP address of the attack to the victim's IP, and 
attacking internet backbone routers, this creates an immediate, 
devastating, yet very effective attack. Backbone routers, seeing this as 
legitimate packets simply reply back to the victim.

I guess the question is, what are the internet backbones doing these 
days to evade the outcome of reflected DoS attacks? Are they simply 
going to let their routers be the middleman to kick off innocent hosts?

SYN cookies and various other methods to control DoS attacks are only 
used by smart ISP's.. And considering most ISP's do not even care about 
egress filters, I don't believe any of these methods will work for quite 
some time to come.

-hc



Having researched this in-depth after reading a rather cursory article
on the topic (http://grc.com/dos/drdos.htm), only two main methods come
to my mind to protect against it.

By way of quick review, such an attack is carried out by forging the
source address of the target host and sending large quantities of
packets toward a high-bandwidth middleman or several such.

To my knowledge the network encompassing the target host is largely
unable to protect itself other than 'poisoning' the route to the host in
question. This succeeds in minimizing the impact of such an attack on
the network itself, but also acheives the end of removing the target
host from the Internet entirely. Additionally, if the targetted host is
a router, little if anything can be done to stop that network from going
down.

One method that comes to mind that can slow the incoming traffic in a
more distributed way is ECN (explicit congestion notification), but it
doesn't seem as though the implementation of ECN is a priority for many
small or large networks (correct me if I'm wrong on this point). If ECN
is a practical solution to an attack of this kind, what prevents its
implementation? Lack of awareness, or other?

Also, are there other methods of protecting a targetted network from
losing functionality during such an attack?

Insights welcome.

Brad

Is there a line of defense against Distributed Reflective attacks?

[Brad Laue]

Having researched this in-depth after reading a rather cursory article
on the topic (http://grc.com/dos/drdos.htm), only two main methods come
to my mind to protect against it.

By way of quick review, such an attack is carried out by forging the
source address of the target host and sending large quantities of
packets toward a high-bandwidth middleman or several such.

To my knowledge the network encompassing the target host is largely
unable to protect itself other than 'poisoning' the route to the host in
question. This succeeds in minimizing the impact of such an attack on
the network itself, but also acheives the end of removing the target
host from the Internet entirely. Additionally, if the targetted host is
a router, little if anything can be done to stop that network from going
down.

One method that comes to mind that can slow the incoming traffic in a
more distributed way is ECN (explicit congestion notification), but it
doesn't seem as though the implementation of ECN is a priority for many
small or large networks (correct me if I'm wrong on this point). If ECN
is a practical solution to an attack of this kind, what prevents its
implementation? Lack of awareness, or other?

Also, are there other methods of protecting a targetted network from
losing functionality during such an attack?

Insights welcome.

Brad

--
// -- http://www.BRAD-X.com/ -- //