Re: Is there a line of defense against Distributed Reflective attacks?
alex This is a very bad band-aid. The solution is amazingly simple - Just to be clear, the solution to WHAT is amazingly simple? alex make it uneconomical to have unprotected networks, For whom to have unprotected networks? What constitutes a protected network? How does one make it uneconomical enough? The amazingly simple solution is to make it uneconomical for anyone to maintain unprotected network (for whatever two sets uneconomical and unprotected are). For example, have a machine that had been broken into and used to attack a company which lost $5M because of that attack, make whoever owns the machine was broken into pay $5M + attorney frees + punitive damages. Suddently, the unprotected (for whatever the definition of unprotected is) networks disappear either due to the bankruptcy of the owner or because it becomes cheaper for the owner to maintain those unprotected networks rather than face monetary penalties. Alex
Re: Is there a line of defense against Distributed Reflective attacks?
From: [EMAIL PROTECTED] unprotected are). For example, have a machine that had been broken into and used to attack a company which lost $5M because of that attack, make whoever owns the machine was broken into pay $5M + attorney frees + punitive damages. Suddently, the unprotected (for whatever the definition of unprotected is) networks disappear either due to the bankruptcy of the owner or because it becomes cheaper for the owner to maintain those unprotected networks rather than face monetary penalties. So, if I'm reading this right, user of Vendor L doesn't like Vendor M. Instead of attacking Vendor M's software, the user just needs to make sure Vendor M's corporate servers get infected and cause enough damage to run Vendor M into bankruptcy from the resulting law suits? What about the small mom and pop shop? Will you watch as an old family business is run into the ground because someone didn't advise them properly on handling security? There is such a thing as making penalties too stiff. Many good businesses would be afraid to participate. Oh, wait. Never mind. They'd have Internet Vulnerability insurance. Jack Bates BrightNet Oklahoma
Re: Is there a line of defense against Distributed Reflective attacks?
On Mon, 27 Jan 2003 15:53:07 EST, [EMAIL PROTECTED] said: The amazingly simple solution is to make it uneconomical for anyone to maintain unprotected network (for whatever two sets uneconomical and unprotected are). For example, have a machine that had been broken into and used to attack a company which lost $5M because of that attack, make whoever owns the machine was broken into pay $5M + attorney frees + punitive So the guy who makes $25K a year and has a $400 PC in a single-wide finds himself liable for $5M because Nimda jumped from his PC to some PC in a large corporation, where it then goes on a large burn. (a) How do you collect? (b) What does the corporation do when the defense lawyer argues that it's 95% the corporation's fault for *letting* the trailer-trash PC do it? Most corporate exec don't want to go there - they'd have to quantify that they had $5M in damages, and then they'd have to explain to the shareholders why their screw-up cost the share-holders $5M in lost profits/dividends. It would be a Phyrric victory, at best... msg08576/pgp0.pgp Description: PGP signature
Re: Is there a line of defense against Distributed Reflective attacks?
JB Date: Mon, 27 Jan 2003 15:19:25 -0600 JB From: Jack Bates JB So, if I'm reading this right, user of Vendor L doesn't like JB Vendor M. Instead of attacking Vendor M's software, the user JB just needs to make sure Vendor M's corporate servers get JB infected and cause enough damage to run Vendor M into JB bankruptcy from the resulting law suits? Hey! Sounds almost like ILEC/CLEC business, dumb patents, et cetera! (Not that I agree with that... not by a longshot... but that's a real risk.) JB What about the small mom and pop shop? Will you watch as an JB old family business is run into the ground because someone JB didn't advise them properly on handling security? There is JB such a thing as making penalties too stiff. Many good JB businesses would be afraid to participate. Oh, wait. Never JB mind. They'd have Internet Vulnerability insurance. Perhaps IVI is a worthy idea. Misconfigured computers certainly have the potential to cause damages. We can't afford to do it right is a poor excuse. Hiring an expert for a few hours is much cheaper than than damage one can cause. I heard a saying that, If a business can't afford infrastructure such as accounting, legal, et cetera, it's not a business -- it's a hobby. Who should bear the brunt of the damage inflicted by others? I don't want to see people slinging ridiculous lawsuits (fast food causes obesity! whoulda thunk?), but I can think of several businesses that are willfully negligent when it comes to security. Should they go unpunished? Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~ Date: Mon, 21 May 2001 11:23:58 + (GMT) From: A Trap [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to [EMAIL PROTECTED], or you are likely to be blocked.
Re: OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
The first MPEG-4 HD set top boxes are beginning to appear http://www.sigmadesigns.com/news/press_releases/030108.htm Watch this space If you read the document carefully, you´ll figure that they support MPEG2 HDTV (1920x1080) and MPEG4 SDTV (640x480/720x576), which was my point earlier. So they are little less than two cycles of Moore´s law away from MPEG4 HDTV. That would put it three years away but if the market is there, we´ll probably see it earlier. SDTV video-over-ip services should take off first though or we´ll end up with peer2peer set top boxes sharing premium channel services over broadband networks. Pete
Re: OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
On Wed, 22 Jan 2003, Baldwin, James wrote: Something I'm surprised no one has commented on considering the direction of this thread has been should ISPs be responsible for customer actions if they are not allowed to refuse service to customers? ISP's can't refuse service to customers? I'm surprised this hasn't come up since the latter half of the question also represented a fairly popular thread earlier. I'm interested in people's opinions. James Baldwin Worldwide Technology Services and Operations Network Operations Center Electronic Arts, Inc.
Re: Is there a line of defense against Distributed Reflective attacks?
Doesn't ECN depend on 'well behaved' traffic? In other words, wouldn't it require the hosts sending traffic to slow down? So... even if the hosts slowed down, 10,000 hosts still is a high traffic rate at the end point. :( Yes, for ECN to work the sending host must honor the slowdown request/ It does happen transparently for most types of sockets, however the attacker can and will disable ECN with a single syscall. Alex
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
On Wed, 22 Jan 2003 11:11:19 -0500 Damian Gerow [EMAIL PROTECTED] wrote: (Taking NANOG out, as this is moving a little towards personal conversation) Apparently, I didn't read my own Cc: line. Sorry, folks.
RE: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Not to mention that fact that 99.99% of current consumer connections are not up to the task. Standard full-screen video digital stream is ~6Mbps, HDTV requires 19.4Mbps. Don't know many consumers with T3s. ;) As always, it gets down to doing the math, something may dot bombers weren't (aren't) very good at. AOL/Time Warner is just the first major example of this 'not yet ready for prime time' business plan. Not to mention the effect everyone on AOL going to broadband and downloading Disney clips all the time would have on their settlement plans with backbone providers. When fiber-to-the-curb is the norm we'll be able to 'Ride the Light' Until then, your mileage may vary. You might also see some change in settlement plans and consumer pricing about that same time. Best regards, __ Al Rowland -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Vadim Antonov Sent: Tuesday, January 21, 2003 5:51 PM To: todd glassey Cc: [EMAIL PROTECTED] Subject: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? On Tue, 21 Jan 2003, todd glassey wrote: Vadim - the instant someone sues a Provider for sexual harassment from their spam epidemic you will start to see things change. The reason that No-Sane provider will block these ports or services is because they have been listening to their Network Admins too long, We were talking about P2P, not spam. P2P participants _want_ to talk to each other, unlike spammer and his victims. ISPs already agressively fight spammers by termninating their service completely - no port blocking or lawsuits are needed. Blocking ports is not going to prevent communication between parties which wish to communicate. And carriage of bits is about an order of magintude bigger economically than the whole entertaintment industry. RIAA already was stupid enough to make enemies of telcos (with that Verizon lawsut). The tech industry was bending themselves over to court Hollywood because the common wisdom was that the content is going to be what people will pay for. Wrong. Content-based dotcoms died, and people still pay for Internet connectivity, in ever-increasing numbers. And spend more and more time in front of computers instead of TVs. Simply because live people on the other end of the wire are infinitely more interesting than the prechewed corporate crud called content. So I think we'll see some fireworks on the legal front, but the outcome is already clear - unfiltered connectivity is what consumers wish to pay for, not the sanitized disneys. --vadim
RE: FW: Re: Is there a line of defense against Distributed Reflective attacks?
At 09:28 AM 1/22/2003 -0800, Al Rowland wrote: Not to mention that fact that 99.99% of current consumer connections are not up to the task. Standard full-screen video digital stream is ~6Mbps, HDTV requires 19.4Mbps. Don't know many consumers with T3s. ;) Drifting off-topic, but those are 'raw' data rates. Compression algorithms along with motion-estimation allow you to get full-screen video down to ~1.5 Mbps with not much in the way of image quality loss. That puts you into DSL/Wireless range. As always, it gets down to doing the math, something may dot bombers weren't (aren't) very good at. AOL/Time Warner is just the first major example of this 'not yet ready for prime time' business plan. Not to mention the effect everyone on AOL going to broadband and downloading Disney clips all the time would have on their settlement plans with backbone providers. When fiber-to-the-curb is the norm we'll be able to 'Ride the Light' Until then, your mileage may vary. You might also see some change in settlement plans and consumer pricing about that same time. I think you'll see it long before every house has fiber run to it. My 2 cents anyway. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
speaking of HDSL over copper, does anyone know anything about a company called Rose Tekephone that reportedly has an HDTV over T1 service? - Original Message - From: Chris Parker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 22, 2003 1:02 PM Subject: RE: FW: Re: Is there a line of defense against Distributed Reflective attacks? At 09:28 AM 1/22/2003 -0800, Al Rowland wrote: Not to mention that fact that 99.99% of current consumer connections are not up to the task. Standard full-screen video digital stream is ~6Mbps, HDTV requires 19.4Mbps. Don't know many consumers with T3s. ;) Drifting off-topic, but those are 'raw' data rates. Compression algorithms along with motion-estimation allow you to get full-screen video down to ~1.5 Mbps with not much in the way of image quality loss. That puts you into DSL/Wireless range. As always, it gets down to doing the math, something may dot bombers weren't (aren't) very good at. AOL/Time Warner is just the first major example of this 'not yet ready for prime time' business plan. Not to mention the effect everyone on AOL going to broadband and downloading Disney clips all the time would have on their settlement plans with backbone providers. When fiber-to-the-curb is the norm we'll be able to 'Ride the Light' Until then, your mileage may vary. You might also see some change in settlement plans and consumer pricing about that same time. I think you'll see it long before every house has fiber run to it. My 2 cents anyway. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net
OT: FW: Re: Is there a line of defense against Distributed Reflective attacks?
1. I also remember when web page standards required you to design everything to fit in a 640x400 screen. DTV/HDTV will significantly change your 'not much in the way of image quality loss' yardstick. My viewing habits have changed significantly in the year plus I've been DTV/HDTV. Among other things, I go to the movies a lot less. DVD quality (which is lower than HDTV) is better than most movie theaters and there's no gum/spilled drink (most of the time) on my floor. 2. I already have it. It's called broadcast. $100 (could have been less but I always over design) antenna and $20 of coax. No monthly fee. I do pay for the DirecTV feed, but that's a separate flame war. Of course, you could just as easily be right. Best regards, __ Al Rowland -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Parker Sent: Wednesday, January 22, 2003 10:02 AM To: [EMAIL PROTECTED] Subject: RE: FW: Re: Is there a line of defense against Distributed Reflective attacks? At 09:28 AM 1/22/2003 -0800, Al Rowland wrote: SNIP Drifting off-topic, but those are 'raw' data rates. Compression algorithms along with motion-estimation allow you to get full-screen video down to ~1.5 Mbps with not much in the way of image quality loss. SNIP I think you'll see it long before every house has fiber run to it. My 2 cents anyway. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\ -- \ Wholesale Internet Services - http://www.megapop.net
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Al Rowland [EMAIL PROTECTED] writes: mention the effect everyone on AOL going to broadband and downloading Disney clips all the time would have on their settlement plans with backbone providers. Of course, because you are definitely being kept in the loop regarding the AOL settlement plans? /vijay
Re: OT: FW: Re: Is there a line of defense against Distributed Reflective attacks?
At 10:58 AM 1/22/2003 -0800, Al Rowland wrote: 1. I also remember when web page standards required you to design everything to fit in a 640x400 screen. DTV/HDTV will significantly change your 'not much in the way of image quality loss' yardstick. My viewing habits have changed significantly in the year plus I've been DTV/HDTV. Among other things, I go to the movies a lot less. DVD quality (which is lower than HDTV) is better than most movie theaters and there's no gum/spilled drink (most of the time) on my floor. Agreed, however the source video that I've seen demoed is from DVD. Side by side comparison shows slight degradation, but solo viewing is more than adequate. This also isn't targetted to people at the end of the bell curve for technology adopters and purists, rather at the fat middle section that isn't upgrading to ( or doesn't care about ) HDTV yet and for whom current digital video quality is just fine. 2. I already have it. It's called broadcast. $100 (could have been less but I always over design) antenna and $20 of coax. No monthly fee. I do pay for the DirecTV feed, but that's a separate flame war. Last I checked premium channels came via Cable or Satellite. :) If you have separate DSL line and DirecTV then you are doubling up on delivery costs. Would the average consumer like to add video to their DSL connection? The cable company cuts you a deal if you have video and data on the same line. Wouldn't the telco's like to compete in that market? Of course, you could just as easily be right. Who knows? :) Reality will probably end up somewhere in the middle. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net
OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Drifting off-topic, but those are 'raw' data rates. Compression algorithms along with motion-estimation allow you to get full-screen video down to ~1.5 Mbps with not much in the way of image quality loss. Raw HDTV is about 1.2Gbps. RAW NTSC SDI bitstream is a few hundred. The 6 and 19.8 are already compressed. Obviously putting more horsepower to the compression you can achieve smaller data rates. However applying for example MPEG4 instead of MPEG2 for 1080i or 720p ups the computational requirements beyond current consumer state of the art. I think you'll see it long before every house has fiber run to it. 75% is enough. Pete
Re: OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Hello; On Wednesday, January 22, 2003, at 06:04 PM, Petri Helenius wrote: Drifting off-topic, but those are 'raw' data rates. Compression algorithms along with motion-estimation allow you to get full-screen video down to ~1.5 Mbps with not much in the way of image quality loss. Raw HDTV is about 1.2Gbps. RAW NTSC SDI bitstream is a few hundred. The 6 and 19.8 are already compressed. Obviously putting more horsepower to the compression you can achieve smaller data rates. However applying for example MPEG4 instead of MPEG2 for 1080i or 720p ups the computational requirements beyond current consumer state of the art. The first MPEG-4 HD set top boxes are beginning to appear http://www.sigmadesigns.com/news/press_releases/030108.htm Watch this space Regards Marshall Eubanks I think you'll see it long before every house has fiber run to it. 75% is enough. Pete \ T.M. Eubanks Multicast Technologies, Inc. 10301 Democracy Lane, Suite 410 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : [EMAIL PROTECTED] http://www.multicasttech.com Test your network for multicast : http://www.multicasttech.com/mt/ Status of Multicast on the Web : http://www.multicasttech.com/status/index.html
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Andy - - Original Message - From: Andy Dills [EMAIL PROTECTED] To: todd glassey [EMAIL PROTECTED] Cc: Vadim Antonov [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, January 22, 2003 9:07 AM Subject: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? On Tue, 21 Jan 2003, todd glassey wrote: Vadim - the newest form of SPAM uses the Messenger facility to place a pop-up in the middle of your screen without any email, pop, smtp or other service being involved. I apologize for the tone of the first posting, but I still stand by it. When ISP's are held accountable for what people do with the BW they sell them, then these issues will all be moot. Until then, the lie is that there is no way to stop these behaviors and its the one the ISP's proffer exclusively. No, we evil network admins are NOT saying there is no way to stop these behaviors. We're saying that the solutions put such a crimp on open standards and legitimate behavior that their value is negative. Who gave you the right to decide which laws you were going to abide by and which ones you were not? The problem is a social one, not a technical one. The technical problem is the vulnerability that exists; the social problem is that as long as ANY vulnerability exists, people will try to exploit that vulnerability. The reason that the vunerability is there is becuase of TCP/IP's inherent weaknesses, but that aside, there are processes that could easily be put in place to address these issues, the problem is that they cost money and that means they have to be paid for and ISP's like many other businesses are run to be as profitable as possible so that means that their owners will do as little as humanly possible to address these issues to keep the bottom lines where they are... Otherwise there wouldn't be the problems with SPAM and DDoS or other Attack Forms that exist today. Technology can mitigate the vulnerabilities, but it cannot mitigate the desire to exploit. So then the problem is the ISP's facilitating the evil forces of the world to do their worst??? For instance, substitute airport for network, as in airport security. Well, this is really funny - see I used to do Network and Systems Operations for UAL at the SFO site and I think your commentary is so funny its almost ludicrous. The problems with the Airlines is the ALPA and its membership and the various other Unions that have a strangle hold on the carriers. You folks are not unionized are you? There are ways for law enforcement to be 100% positive that no terrorists ever steps foot on a plane. Unfortunately, the cost involved, along with the reduction in efficiency, would make normal travel impossible. The same is not true of networking though. Do you try to hold realestate developers responsible for what the homeowner does with their house? Do you try to hold the power company responsible for the people who use their electricity to grow weed? of course not - but I do hold the provider responsible for not enforcing the laws regarding digital fraud. And everytime one of your email servers passes a forged email along another hop in its trip, you actively participate in the fraud, so you are not the grower of the weed but rather the reseller of it. I assume you were beating down the doors of Congress, tyring to get rock artists to be responsible for the people who committed suicide after listening to their albums? Hardly, and Tipper and I disagree on many things. Andy Andy Dills 301-682-9972 Xecunet, LLCwww.xecu.net Dialup * Webhosting * E-Commerce * High-Speed Access
OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Something I'm surprised no one has commented on considering the direction of this thread has been should ISPs be responsible for customer actions if they are not allowed to refuse service to customers? I'm surprised this hasn't come up since the latter half of the question also represented a fairly popular thread earlier. I'm interested in people's opinions. James Baldwin Worldwide Technology Services and Operations Network Operations Center Electronic Arts, Inc.
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Vadim - the instant someone sues a Provider for sexual harassment from their spam epidemic you will start to see things change. The reason that No-Sane provider will block these ports or services is because they have been listening to their Network Admins too long, and in fact the problem is that they are not sane providers. What they are, and this is pretty much true across the board, is people that just don't care what they do to earn a buck otherwise we would not have these problems, and this is especially true of those Network Operators that push all those billions of bytes of illicit SPAM and throw their hands up and say What do you expect us to do - well the answer is simple. I expect you folks to operate within the law and to cooperate in stopping people who use your services in violation of the laws. And if the providers out there don't like that - then they should find other businesses. Todd Glassey - Original Message - From: Vadim Antonov [EMAIL PROTECTED] To: Avleen Vig [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, January 20, 2003 7:59 PM Subject: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? On Mon, 20 Jan 2003, Avleen Vig wrote: On Mon, 20 Jan 2003, Christopher L. Morrow wrote: I was refering specifically to end user workstations. For example home machines on dial up or broadband connections. A lot of broadband providers already prohibit running servers and block certain inbound ports (eg 21 and 80). *shrug* just seems like it would make more sense to block all incoming 'syn' packets. Indeed it does break that. P2P clients: Mostly transfer illegal content. As much as a lot of people love using these, I'm sure most realise they're on borrowed time in their current state. Well, blocking TCP SYNs is not a way to block establishment of sessions between _cooperating_ hosts. Simply make a small hack in TCP stack to leave SYN flag clear, and use some other bit instead. To really block something you need an application proxy... and then there are always ways to subvert those. Elimination of covert channels is one of the hardest problems. In any case, no sane provider will restrict traffic only to applications which can be served by its proxies. Going further, the growing awareness of the importance of security will cause more and more legitimate apps to create totally indiscriminate encrypted traffic... and it is a good idea to routinely encrypt all traffic, to avoid revealing importance of particular communications. Leaving identity of applications (different port #s) in the clear is also a bad idea, security-wise. --vadim
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Stoned koalas drooled eucalyptus spit in awe as Avleen Vig exclaimed: Doesn't this stop kazaa/morpheus/gnutella/FTP/some aim stuff like private chats? This is a problematic setup, and woudl require the cable modem provider to maintain a quickly changing 'firewall' :( I understand the want to do it, but I'm not sure its practical to see it happen based solely on the hassle factor :( Hmm, security, you gotta pay to play (Some famous man once said that I believe) Indeed it does break that. P2P clients: Mostly transfer illegal content. As much as a lot of people love using these, I'm sure most realise they're on borrowed time in their current state. And it's your job as a network provider to determine the legality of your users' activities? Plus, you said the magic word mostly What about legit uses of P2P networks? Do you also stop your users from using NNTP as well, since it's mostly used for porn and warez? How about email? since, from the looks of my mail logs, SMTP traffic is mostly spam and sircam. :) I'm sure your users would certainly pack up and take their business elsewhere if you placed these restrictions on them. Why not just put them all behind a firewall on RFC-1918 addresses, if you are going to block all incoming SYNs? And I'm sure that if they were gone tomorrow, I'm sure they'd be back in another fashion soon. Any true P2P system is going to need at least one end user to receive a SYN. Ftp/HTTP etc I believe most cable providers currently block these anyway I also believe this is usually stated in their TOS that they're not allowed to run services on their home computers. If I'm on IRC and I initiate an outgoing DCC chat, the open port on my box awaiting the connection is hardly a service. There's a chance it'd break things like file transfers on IM clients but I'm sure they'd be altered too. Unless I'm missing something, wouldn't it be necessary to modify both the clients and the servers to pass all FT traffic through the servers? I'm sure those who sell bandwidth to AOL and Yahoo would love it if they did that, but I don't see it happening. -Jeff -- Jeff Workman | [EMAIL PROTECTED] | http://www.pimpworks.org
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
And their are legal uses for p2p. I have a customer who works with some of these technologies for legal and approved file transfers like game publishing. - Original Message - From: Christopher L. Morrow [EMAIL PROTECTED] To: Avleen Vig [EMAIL PROTECTED] Cc: Christopher L. Morrow [EMAIL PROTECTED]; Daniel Senie [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, January 20, 2003 5:22 PM Subject: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? On Mon, 20 Jan 2003, Avleen Vig wrote: Doesn't this stop kazaa/morpheus/gnutella/FTP/some aim stuff like private chats? This is a problematic setup, and woudl require the cable modem provider to maintain a quickly changing 'firewall' :( I understand the want to do it, but I'm not sure its practical to see it happen based solely on the hassle factor :( Hmm, security, you gotta pay to play (Some famous man once said that I believe) Indeed it does break that. P2P clients: Mostly transfer illegal content. As much as a lot of people love using these, I'm sure most realise they're on borrowed time in their current state. And I'm sure that if they were gone tomorrow, I'm sure they'd be back in another fashion soon. That may be, but its still a problem... I believe http and ftp also transfer illegal content, should we shut them down? Email too? Often there is illegal content in email. :( Ftp/HTTP etc I believe most cable providers currently block these anyway :-) for FTP I was talking about non-passive data traffic.
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
*shrug* just seems like it would make more sense to block all incoming 'syn' packets. Wouldn't that be faster than inspecting the destination port against two seperate rules? blocking all SYN's will break too much other stuff (Instant Messangers, games ...). I think we would be much better off if they (consumer ISPs) would block 135-139 and 445, maybe 21 and 80. The rest could be handled with a simple IDS (doesn't even need to match patterns... just count packets going to 27374 and the like) I keep saying ISPs would be much better off if they implement these filters. But not all of them agree. IMHO: less 'zombies' - better service - less support phonecalls. -- [EMAIL PROTECTED] Collaborative Intrusion Detection join http://www.dshield.org msg08102/pgp0.pgp Description: PGP signature
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Christopher, IP filtering is something that needs to be legally mandated and put in place at both ends. Any tier-2/3 provider should be held accountable for any fraud's that they enable their customers to commit, since there is no other technical point of responsibility possible. As to spoofed IP's that also is an issue, and the failure of the ISP's to put in place an infrastructure where they could enact better controls is part in parcel to their public denial of responsibility for what their customers do. But I think that those days are rapidly coming to a close, and the Network Providers will be called to task. As to TCP/IP and the inherent design flaws that allow people to spoof it, those to are much the responsibility of the networking community as a whole as well and need to be addressed therein. You nor any of the ISP's may like this but the facts of the matter are pretty clean and easily discerned and they all point to the Governance Model for developing and releasing protocols whole cloth on the Internet, no matter what they enable people to do. Its time to take a close accounting of what this Internet thing really is and put some stronger legislation in place. Todd Glassey - Original Message - From: Christopher L. Morrow [EMAIL PROTECTED] To: Stewart, William C (Bill), RTLSL [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, January 17, 2003 6:29 PM Subject: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? On Fri, 17 Jan 2003, Stewart, William C (Bill), RTLSL wrote: -Original Message- From: Stewart, William C (Bill), RTLSL Sent: Friday, January 17, 2003 5:35 PM To: '[EMAIL PROTECTED]' Subject: Re: Is there a line of defense against Distributed Reflective attacks? Many of these attacks can be mitigated by ISPs that do anti-spoofing filtering on input - only accepting packets from user ports Sure, but this is a proven non-scalable solution. HOWEVER, filtering as close to the end host is scalable and feasible... do it there, it makes MUCH more sense to do it there. that have IP addresses that are registered for that port, and not accepting incoming packets from outside their network that claim to be from inside (except maybe from registered dual-homed hosts.) This cuts down on many opportunities for forgery, and means that SYN Flood attacks have a much more limited set of addresses they can forge (e.g. an attacker or zombie can only impersonate other ips sharing its /24 or /29, so it can't pretend to be its victim in a reflection or smurf attack.) That doesn't stop all reflection attacks; a zombie on a network that doesn't do anti-spoofing can send SYNs to a big server on a network that also doesn't anti-spoof, so the server will still SYN-ACK its not the 'server' that needs 'anti-spoof' its the end host, the machine in your livingroom that is on a cable modem for instance... the server in this instance is a simple, innocent, machine doing its business. to the victim. This cuts out a lot of potential zombie/server pairs. If the server that's being used for reflection is someone the victim would often talk to, that's a problem (you'd rather not block connections to Yahoo), but if it's someone the victim doesn't care about talking to (like router23.example.net) you don't mind blocking it. (Also, why is router23.example.net SYNACKing somebody it doesn't know?) This is an interesting point. The routers shouldn't really syn-ack (in this example) bgp from 'unknown' places... unless you are a neighbor you get squat, or that would be a nice feature, eh? :) For some folks, the problems aren't confined to just bgp, telnet or ssh on routers are also problemmatic, vty acl's are important :) But there are probably 20 million web servers or Kazaa or IM clients out there, and probably half of them are on networks that don't spoof-proof, so blocking those is much tougher than blocking the big ones. And next stop - reflection attacks using big domain servers... Hmm, I'm not sure, again, that the spoof proof needs to be on the kazaa server network, it needs to be on the network where the originating attacke is, preferrably as close to that host as possible, like it's default router... Now, the problems with 60million kazaa clients openning the floodgates on you are a whole nother problem :)
RE: FW: Re: Is there a line of defense against Distributed Reflective attacks?
This whole 'Internet Thing' is a one of the wonders of the modern world. A public transport system that has handled growth easily and efficiently for many years. Some people get leisure from it, some make money from it, some do research on it, some communicate on it, It is one of the most pervasive things I've seen. Because of the internet's inherent distributed nature, legislation will get you no where, and besides,l legislation is the easy way out, and not very effective at that. Market forces and the golden rule (if that combo actually works, I'd be amazed) should drive the direction of this dynamic animal we call 'The Internet'. If we lived in Nirvana, the Internet would be a beautiful thing. But as we live in reality, we have to take the good with the bad. But overall, I think the Good is winning over the Bad. I say: Cool. Ray Burkholder -Original Message- From: todd glassey [mailto:[EMAIL PROTECTED]] Sent: January 19, 2003 12:02 To: Christopher L. Morrow; Stewart, William C (Bill), RTLSL Cc: [EMAIL PROTECTED] Subject: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? You nor any of the ISP's may like this but the facts of the matter are pretty clean and easily discerned and they all point to the Governance Model for developing and releasing protocols whole cloth on the Internet, no matter what they enable people to do. Its time to take a close accounting of what this Internet thing really is and put some stronger legislation in place. Todd Glassey - Original Message - From: Christopher L. Morrow [EMAIL PROTECTED] To: Stewart, William C (Bill), RTLSL [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, January 17, 2003 6:29 PM Subject: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? On Fri, 17 Jan 2003, Stewart, William C (Bill), RTLSL wrote: -Original Message- From: Stewart, William C (Bill), RTLSL Sent: Friday, January 17, 2003 5:35 PM To: '[EMAIL PROTECTED]' Subject: Re: Is there a line of defense against Distributed Reflective attacks? Many of these attacks can be mitigated by ISPs that do anti-spoofing filtering on input - only accepting packets from user ports Sure, but this is a proven non-scalable solution. HOWEVER, filtering as close to the end host is scalable and feasible... do it there, it makes MUCH more sense to do it there. that have IP addresses that are registered for that port, and not accepting incoming packets from outside their network that claim to be from inside (except maybe from registered dual-homed hosts.) This cuts down on many opportunities for forgery, and means that SYN Flood attacks have a much more limited set of addresses they can forge (e.g. an attacker or zombie can only impersonate other ips sharing its /24 or /29, so it can't pretend to be its victim in a reflection or smurf attack.) That doesn't stop all reflection attacks; a zombie on a network that doesn't do anti-spoofing can send SYNs to a big server on a network that also doesn't anti-spoof, so the server will still SYN-ACK its not the 'server' that needs 'anti-spoof' its the end host, the machine in your livingroom that is on a cable modem for instance... the server in this instance is a simple, innocent, machine doing its business. to the victim. This cuts out a lot of potential zombie/server pairs. If the server that's being used for reflection is someone the victim would often talk to, that's a problem (you'd rather not block connections to Yahoo), but if it's someone the victim doesn't care about talking to (like router23.example.net) you don't mind blocking it. (Also, why is router23.example.net SYNACKing somebody it doesn't know?) This is an interesting point. The routers shouldn't really syn-ack (in this example) bgp from 'unknown' places... unless you are a neighbor you get squat, or that would be a nice feature, eh? :) For some folks, the problems aren't confined to just bgp, telnet or ssh on routers are also problemmatic, vty acl's are important :) But there are probably 20 million web servers or Kazaa or IM clients out there, and probably half of them are on networks that don't spoof-proof, so blocking those is much tougher than blocking the big ones. And next stop - reflection attacks using big domain servers... Hmm, I'm not sure, again, that the spoof proof needs to be on the kazaa server network, it needs to be on the network where the originating attacke is, preferrably as close to that host as possible, like it's default router... Now, the problems with 60million kazaa clients openning the floodgates on you are a whole nother problem :)
Re: Is there a line of defense against Distributed Reflective attacks?
Without getting too much into the likelihood of any legal body actually understanding anyone's role in an attack besides the attacker and the victim, in this land where tobacco companies are sued by smokers who get lung cancer and fast food restaurants are sued by fat people there must be room for such cases as: XYZ Corp cost me $5mil in lost business. They were negligent in securing their (network|host) from being used as a DoS attack tool despite being informed of such by us both before and during said attack. and I always thought the US legal system was flawed.where do I file? :) - kurtis -
RE: Is there a line of defense against Distributed Reflective attacks?
What incentive does the end-user have to use secure systems? Should Microsoft, Sun, Sendmail Inc or ISC be required to send a technician out to fix every defective system they released? Why should the ISP be held accountable for the defects created by others? Car makers have to fix defective cars, not the highway department. Without jumping into this discussion, I would like to make the point that if a car on the highway drops something... a pebble. a window. tacks. or any other item on the highway that is potentially hazardous or inconvenient to others who want to use that highway... the car manufacturer doesn't come out, the highway department does. As long as the car _moves_ under its own power across the highway, its essentially not the car manufacturers' (or the consumers') immediate concern. Deepak Jain AiNET
Re: Is there a line of defense against Distributed Reflective attacks?
On Mon, Jan 20, 2003 at 12:25:27AM -0500, Deepak Jain mooed: As long as the car _moves_ under its own power across the highway, its essentially not the car manufacturers' (or the consumers') immediate concern. That's really not true. Before car companies sell cars, they pass (lots of) safety certification tests. Before owners drive cars legally, they pass a safety and emissions test. Sure, the highway folks clean up after the occasional tire blowout, but there's been a lot of work put in to make sure that the engines aren't going to drop out on a regular basis. If the Internet was a highway, it would be covered in burned-out engines. -Dave -- work: [EMAIL PROTECTED] me: [EMAIL PROTECTED] MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
At 09:29 PM 1/17/2003, Christopher L. Morrow wrote: On Fri, 17 Jan 2003, Stewart, William C (Bill), RTLSL wrote: -Original Message- From: Stewart, William C (Bill), RTLSL Sent: Friday, January 17, 2003 5:35 PM To: '[EMAIL PROTECTED]' Subject: Re: Is there a line of defense against Distributed Reflective attacks? Many of these attacks can be mitigated by ISPs that do anti-spoofing filtering on input - only accepting packets from user ports Sure, but this is a proven non-scalable solution. HOWEVER, filtering as close to the end host is scalable and feasible... do it there, it makes MUCH more sense to do it there. Well, let's see... on dialup circuits it should be done and should be a no-brainer. After all, ISPs are required (by UUNet at least) to push in filters to ensure dialup users can only reach port 25 of that ISPs mail servers and be blocked from all other spots. How hard is it to push in one more filter that checks the source IP address of the dialup user to ensure the address coming from the user is the one assigned? Sure, dialups are not the only problem, but it's an example of blocking close (very close) to the edge. Each time an ISP sells a T1 with a router and assigns a block of addresses, there's an opportunity to configure that router with filters (ingress/egress depending on which side you look at it from) and at least simple firewalling rules. Is this an expense to the installing ISP, or a cost savings in not having to deal with attacks that came from that network later? Even when a customer provides the CPE, providing sample configurations really costs little and would help. In many cases, the vendor supplying that T1 is one of the same companies which also handles the core so it's REALLY in their best interest to take little steps to protect their edges (hard to point fingers from the core and say it's the edge vendor's problem when you're also the edge vendor in some cases). While it's nice that router vendors implemented unicast RPF to make configuration in some cases easier, using simple ACLs isn't necessarily hard at the edges either. The stumbling block for ingress filtering has always been pretty simple: By implementing ingress, the network you save will be someone else's. You have to trust that other network operators will implement ingress filtering and in so doing save your network. Sadly, folks tend to avoid doing things that might help others, and so I continue to wait for a negligence lawsuit to wake folks up on this issue. Eliminating spoofed addresses from the backbone, even if it were possible to do 100%, would not eliminate denial of service attacks. The DDoS attacks using coordinated owned machines demonstrates this. As spoofing becomes more difficult, tracing back the source of attacks becomes easier. Network operators will still find machines on their networks performing attacks, but when that phone call comes from another network with attack details, the chances of finding the offending host are much greater.
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
On Sat, Jan 18, 2003 at 08:58:13AM -0500, Daniel Senie wrote: While it's nice that router vendors implemented unicast RPF to make configuration in some cases easier, using simple ACLs isn't necessarily hard at the edges either. It might be nice if all router vendors were able to associate the interface configured address(es)/nets as a variable for ingress filters. So for in the Cisco world, a simple example would be: interface Serial0 ip address 192.0.2.1 255.255.255.128 ip access-group 100 in ! interface Serial1 ip address 192.0.2.129 255.255.255.128 ip access-group 100 in ! access-list 100 permit ip $interface-routes any access-list 100 deny ip any any Those sorts of features could make the scaling issue much easier for large providers and environments where routers may have lots of interfaces. An operator could also essentially build tools to automatically configure/verify configurations this way, but I think it would be better for the router vendors to do this for us. John
Re: Is there a line of defense against Distributed Reflective attacks?
In message [EMAIL PROTECTED], David G. Andersen writes: On Fri, Jan 17, 2003 at 01:11:14AM -0500, David G. Andersen mooed: b) Ioannidis and Bellovin proposed a mechanism called Pushback for automatically establishing router-based rate limits to staunch packet flows during DoS attacks. [NDSS 2002, Implementing Pushback: Router-Based Defense Against DDoS Attacks] I should have been a bit more accurate here. The proposal for pushback is actually earlier than the implementation paper I cited above: Controlling High Bandwidth Aggregates in the Network. Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker. July, 2001. and it also included an internet-draft: http://www.aciri.org/floyd/papers/draft-floyd-pushback-messages-00.txt I believe that Steve Bellovin gave a talk about it at NANOG 21: http://www.research.att.com/~smb/talks/pushback-nanog.pdf Here are the citations to the published papers: # Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker, Controlling High Bandwidth Aggregates in the Network, Computer Communications Review 32:3, July 2002, pp. 62-73. http://www.research.att.com/~smb/papers/pushback-CCR.ps # John Ioannidis and Steven M. Bellovin, Implementing Pushback: Router-Based Defense Against DDoS Attacks, NDSS, February 2002. http://www.research.att.com/~smb/papers/pushback-impl.ps The publication dates notwithstanding, Mahajan et al. came first. As for the I-D -- we haven't had the cycles to work on it. There's reason to hope that activity will pick up. Re: I'm not sure its all that practical. I don't see that its helpful if it turns off services 'automatically' In theory, it doesn't turn off the service to all comers; it turns off the service along pipes from which the attack is coming. Just how good a job it will do at stopping collateral damage will depend on how far back there are pushback-enabled routers. If an ISP deployed it, but didn't speak pushback to its neighbors, clients on that same ISP's network should be able to access the service, as could peers who weren't the source of the garbage. But if some peer is sending an OC-12's worth of DDoS packets -- yes, all clients (or transit users) of that peer would be shut out. ICMP traceback is the subject of the IETF itrace working group. draft-ietf-itrace-03.txt just came out yesterday. The SPIE hash-based traceback is a much cooler idea, but it has some practical limitations, including the need to do the trace in more or less real-time (once the hash table fills up, it becomes useless), and the need for very large amounts of very fast memory on the tracing routers. There was an IETF BoF on it, but the folks behind it haven't been pushing it much. (Randy, do you know the status of it?) Both itrace and hash-based trace have some technical issues. itrace can handle only DoS-type attacks, since it's statistical in nature; hash-based traceback can, in theory, trace a single packet. But the real problem with either idea is this: suppose that you know, unambiguously and unequivocally, that 750 zombies are attacking you. What do you do with that information? --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book)
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Once upon a time, John Kristoff [EMAIL PROTECTED] said: It might be nice if all router vendors were able to associate the interface configured address(es)/nets as a variable for ingress filters. So for in the Cisco world, a simple example would be: interface Serial0 ip address 192.0.2.1 255.255.255.128 ip access-group 100 in ! interface Serial1 ip address 192.0.2.129 255.255.255.128 ip access-group 100 in ! access-list 100 permit ip $interface-routes any access-list 100 deny ip any any How is this different than ip verify unicast reverse-path (modulo CEF problems and bugs, which of course NEVER happen :-) )? Multihomed customers are more interesting, but if all the single homed customers had uRPF (or $VENDOR's equivalent) enabled it would cut down on a significant amount of the spoofed traffic. -- Chris Adams [EMAIL PROTECTED] Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Is there a line of defense against Distributed Reflective attacks?
What kinds of mechanisms exist for keeping track of the origins of something of this nature? Normally that's not very productive as they are mostly owned boxes that will be rebuilt and reowned in days :( We could automate the tracing process, like *57 customer initiated trace on the telephone network ($5 per use). But then what? You can track the sources as quickly as you can, but part of the question becomes how long and how many sources do you keep blocked once you have tracked them. Is it one strike and you're out forever. If 80% of the attacks are not spoofed, why not create yet another RBL and keep adding more and more addresses? If you remove the filter after the attack stops, it will just come back or they'll choose a different victim. Do we need te equivalent of a dog bite law for computers. If your computer attacks another computer, the owner is responsible. File a police report, and the ISP will give the results of the *57 trace to the local police. The police can then put down the rabid computer, permanently.
Re: Is there a line of defense against Distributed Reflective attacks?
On Thu, Jan 16, 2003 at 08:48:03PM -0500, Brad Laue wrote: Having researched this in-depth after reading a rather cursory article on the topic (http://grc.com/dos/drdos.htm), only two main methods come to my mind to protect against it. There are a few more methods, some have already mentioned including something called pushback. Very few solutions, particularly elegant ones are widely deployed today. At some point, sophisticated (or even not so sophisticated) DoS attacks can be hard to distinguish between valid traffic, particularly if widely distributed and traffic is as valid looking as any other bit of traffic. By way of quick review, such an attack is carried out by forging the source address of the target host and sending large quantities of packets toward a high-bandwidth middleman or several such. It doesn't have to be forged, that step just makes it harder to trace back to the original source. There are some solutions that try to deal with this, including an IETF working group called itrace. UUNET also developed something called CenterTrack. BBN has something called Source Path Isolation Engine (SPIE). There are probably other things I'm forgetting, but generally are similar in concept to these. To my knowledge the network encompassing the target host is largely unable to protect itself other than 'poisoning' the route to the host in question. This succeeds in minimizing the impact of such an attack on This is true, the survivability of the victim largely depends on the security of everyone else, which makes solving the problem so exceptionally difficult. the network itself, but also acheives the end of removing the target host from the Internet entirely. Additionally, if the targetted host is a router, little if anything can be done to stop that network from going down. I'm not sure I fully understand what you're saying here, but a router can be effectively be taken out of service as any other end host or network can by simply overwhelming it with packets to process (for itself or to be forwarded). One method that comes to mind that can slow the incoming traffic in a more distributed way is ECN (explicit congestion notification), but it doesn't seem as though the implementation of ECN is a priority for many small or large networks (correct me if I'm wrong on this point). If ECN ECN cannot be an effective solution unless you trust all edge hosts, including the attacking hosts, will use it. Since it is a mechanism that is used to signal transmitting hosts to slow down, attackers can choose not to implement ECN or ignore ECN signals. Unless you could control all the ends hosts, and as long as there is intelligence in the end hosts a user could modify, this won't help. is a practical solution to an attack of this kind, what prevents its implementation? Lack of awareness, or other? It is still fairly new and not widely deployed. Routers need not only to support it, but also have to be enabled to use it. It is a fairly significant change to the way congestion control is currently done in the Internet and it will take some time before penetration occurs. Also, are there other methods of protecting a targetted network from losing functionality during such an attack? Many are reactive, often because you can't know what a DoS is until its happening. In that case, providers can use BGP advertisements to blackhole hosts or networks (though that can essentially finish the job the attacker started). If attacks target a DNS name, the end hosts can change their IP address (though DNS servers may still get pounded). If anything unique about the attack traffic can be determined, filters or rate limits can be placed as close to the sources as possible to block it (and that fails as attack traffic becomes increasingly dispersed and identical to valid traffic). If more capacity than attack traffic uses can be obtained, the attack could be ignored or mitigated (but this might be expensive and impractical). If the sources can be tracked, perhaps they can be stopped (but large number of sources make this a scaling issue and sometimes not all responsible parties are as cooperative or friendly as you might like). There is also the threat of legal response, which could encourage networks and hosts to stop and prevent attacks in the future (this could have negative impacts for the openness of the net and potentially be difficult to enforce when multiple jurisdiations are involved). From a proactive approach, hosts could be secured to prevent an outsider from using it for attack. The sorry state of system security doesn't seem to be getting better and even if we had perfect end system security, an attacker could still use their own system(s) to launch attacks. Eventually it all boils down to a physical security problem. Pricing models can be used to make it expensive to send attack traffic. How to do the billing and who to bill might not be so easy. ...and there may
Re: Is there a line of defense against Distributed Reflective attacks?
Do we need te equivalent of a dog bite law for computers. If your computer attacks another computer, the owner is responsible. File a police report, and the ISP will give the results of the *57 trace to the local police. The police can then put down the rabid computer, permanently. Good in theory... in practice police has more important things to do. Like catching pot smokers. --vadim
Re: Is there a line of defense against Distributed Reflective attacks?
Vadim Antonov wrote: Caution this won't program a router: The police can then put down the rabid computer, permanently. Good in theory... in practice police has more important things to do. Like catching pot smokers. Not -=too=- much problem soon, thanks to the USA Patriot act. In conjunction with the new Mother^^HomeLand Security design, The DEA will be considered part of the HomeLand Security team. This means they will have access to all the extra-constitutional monitoring/invasion of privacy activity that we deploy against citizens^terrorists for National Defense, in such Patriotic programs as CoinTelPro. I.E.: Tap your phone, monitor your email/internet activity, sneak and peak into your house, access you financial transactions, (bank and credit card), access your doctor's files, question your lawyer, arrest you without Miranda, incarcerate you indefinitely without a phone call, or a trial, and finally and best of all, the brand new Torture a confession information gathering methods... (See: Chavez v Martinez ) all without a -=warrant=-. (I hear probable cause has actually been -stretched- to include politically active people. It seems such people -change- the laws, and government, hence are a matter of National Security. So, therefore, being a Democrat now qualifies you for CoinTelPro, just like Nixon originally decided in Watergate.) After all, Homeland security will be sharing it's data with every member of the Division, as part of it's charter, and the Intelligence Agencies will be used to gather it, (-=against=- theirs). It's a matter of National Security, you know. Gotta Keep you safe from those Pot Smokers, after all! Why, We can't have Saddam Bin Laden hiding out in North Korea with Nuclear Plague devices, and doing doobs with an American Citizen.. plotting our Mass Destruction, Now can we ?! ;) PPS: Don't worry Citizen, the Executive Branch funded Churches will have plenty of -=other=- things for you to do, that are wholesome, and healthy. Like egg tossing, and gunny sack races, in the Name of Jesus. - The Church Lady :P --vadim Only Criminals don't want to be monitored - Nazi Youth Slogan. http://www.aclu.org http://www.whitehouse.org
Re: Is there a line of defense against Distributed Reflective attacks?
On Fri, 17 Jan 2003, Vadim Antonov wrote: Do we need te equivalent of a dog bite law for computers. If your computer attacks another computer, the owner is responsible. File a police report, and the ISP will give the results of the *57 trace to the local police. The police can then put down the rabid computer, permanently. Good in theory... in practice police has more important things to do. Like catching pot smokers. HAHAHAHA :) Very funny. Seriously though, police can't remove access to the system for individuals simply because they didn't turn off whatever MS thing turns on port 445 by default... This gets back to the drivers' license for internet access/computer use. A nice idea, not practical and not enforcable :( And... not the solution to most of the problems. Keep in mind that a majority of the attacks are NOT against 'high profile' sites/customers... so many times a null route is a perfectly acceptable solutions.
Re: Is there a line of defense against Distributed Reflective attacks?
On Fri, Jan 17, 2003 at 06:38:08PM +, Christopher L. Morrow mooed: has something called Source Path Isolation Engine (SPIE). There This would be cool to see a design/whitepaper for.. Kelly? The long version of the SPIE paper is at: http://nms.lcs.mit.edu/~snoeren/papers/spie-ton.html The two second summary that I'll probably botch: SPIE keeps a (very tiny) hash of each packet that the router sees. If you get an attack packet, you can hand it to the router and ask From where did this come? And then do so to the next router, and so on. The beauty of the scheme is that you can use it to trace single-packet DoS or security attacks as well as flooding attacks. The downside is that it's hardware. -Dave -- work: [EMAIL PROTECTED] me: [EMAIL PROTECTED] MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.
Re: Is there a line of defense against Distributed Reflective attacks?
On Fri, 17 Jan 2003, David G. Andersen wrote: On Fri, Jan 17, 2003 at 06:38:08PM +, Christopher L. Morrow mooed: has something called Source Path Isolation Engine (SPIE). There This would be cool to see a design/whitepaper for.. Kelly? The long version of the SPIE paper is at: http://nms.lcs.mit.edu/~snoeren/papers/spie-ton.html The two second summary that I'll probably botch: SPIE keeps a (very tiny) hash of each packet that the router sees. If you get an attack packet, you can hand it to the router and ask From where did this come? And then do so to the next router, and so on. The beauty of the scheme is that you can use it to trace single-packet DoS or security attacks as well as flooding attacks. The downside is that it's hardware. This sounds like Steve Bellovin's thing called 'icmp traceback' where you make up a new icmp type message and send that query through the system, hop by hop... though I say that after only reading your blurb, not the paper :) As I recall the icmp thing (that might NOT have been all steve, I just heard him present it once) was a problem from a memory and processing perspective, not to mention 'no router does this today' so its a 3 year off feature addition... nevermind the protocol additions :)
Re: Is there a line of defense against Distributed Reflective attacks?
I guess the question of all this is may be... what could be done to perhaps... to minimize the impact of DoS attacks pointed at a victim host? Getting everyone to take security more seriously will most likely never going to happen.. :( -hc On Fri, 17 Jan 2003, Clayton Fiske wrote: On Fri, Jan 17, 2003 at 06:38:08PM +, Christopher L. Morrow wrote: On Fri, 17 Jan 2003, John Kristoff wrote: impractical). If the sources can be tracked, perhaps they can be stopped (but large number of sources make this a scaling issue and sometimes not all responsible parties are as cooperative or friendly as you might like). There is also the threat of legal response, which could encourage networks and hosts to stop and prevent attacks in the Legal response to the kiddies has never shown a marked improvement in their behaviour. Much like the death penalty... its just not a deterrent, perhaps because its not enforced on a more regular basis, perhaps because no one thinks about that before they attack. I think John was more referring to legal action against networks and hosts used in the attack. Without getting too much into the likelihood of any legal body actually understanding anyone's role in an attack besides the attacker and the victim, in this land where tobacco companies are sued by smokers who get lung cancer and fast food restaurants are sued by fat people there must be room for such cases as: XYZ Corp cost me $5mil in lost business. They were negligent in securing their (network|host) from being used as a DoS attack tool despite being informed of such by us both before and during said attack. Perhaps this would cause companies to take security more seriously? Have there been any such cases to date? Did they win? -c
Re: Is there a line of defense against Distributed Reflective attacks?
On Fri, 17 Jan 2003 18:38:08 + (GMT) Christopher L. Morrow [EMAIL PROTECTED] wrote: has something called Source Path Isolation Engine (SPIE). There This would be cool to see a design/whitepaper for.. Kelly? In addition to David's link: http://www.ir.bbn.com/projects/SPIE/ mentioned, which penalize or limit high rate flows are not widely deployed yet. (see above, is this what you really want?) I happen to like the idea of using something like a RED queue that can more aggressively drop traffic that is 'out of profile' in times of congestion. Like most things, this probably really works best at the edges of the network, but my gut feeling is that it can be a relatively fair and elegant approach. However, it doesn't really solve the DoS problem, it is really trying to just solve a congestion problem, but it may have some nice side effects. For example, I'm planning on trying out some new features from our border router vendor, where we set a more aggressive RED drop profile per source IP within our netblock where the source exceeds a configured transmission rate. The basic idea being to get the high load offering sources to slow down in times of high usage/congestion. Hopefully they use TCP, but if not, perhaps drop even more aggressively? If the capacity is there, high load sources get through. So, this doesn't stop attacks, but tries to keep some valid data flowing through a limited egress pipe or in other words, try to provide some fairness between multiple sources in times of high load. Of course, if everyone hits the ENTER key at the same time this does't work, but hopefully statistically multiplexing is working as well as it always has for us. John
Re: Is there a line of defense against Distributed Reflective attacks?
Getting everyone to take security more seriously will most likely never going to happen.. :( If this is the case then we are screwed... I hope its not the case, I hope that the customer service folks at ISP/NSP's and NOC and Engineering folks all keep this in their minds and push their upper management to start doing the right thing. It really doesn't cost that much, and its certainly cheaper than the cost of outages or lost revenue when your business is DoS'd, eh? When the insurrance companies get involved and charge a larger premium to corporations not implementing reasonable security policies and procedures then the situation will improve. Time and time again I have seen corporations do nothing about a problem (physical safety, physical security, network security) until it hurts the bottom line. Also, a large profile (e.g. in the mainstream media) network security incident against a large corporation would again bring attention to the problem. I think that if a network security incident had brought Enron to its knees, rather than questionable accounting, people would be taking more notice of the problem. - Michael Hogsett
FW: Re: Is there a line of defense against Distributed Reflective attacks?
-Original Message- From: Stewart, William C (Bill), RTLSL Sent: Friday, January 17, 2003 5:35 PM To: '[EMAIL PROTECTED]' Subject: Re: Is there a line of defense against Distributed Reflective attacks? Many of these attacks can be mitigated by ISPs that do anti-spoofing filtering on input - only accepting packets from user ports that have IP addresses that are registered for that port, and not accepting incoming packets from outside their network that claim to be from inside (except maybe from registered dual-homed hosts.) This cuts down on many opportunities for forgery, and means that SYN Flood attacks have a much more limited set of addresses they can forge (e.g. an attacker or zombie can only impersonate other ips sharing its /24 or /29, so it can't pretend to be its victim in a reflection or smurf attack.) That doesn't stop all reflection attacks; a zombie on a network that doesn't do anti-spoofing can send SYNs to a big server on a network that also doesn't anti-spoof, so the server will still SYN-ACK to the victim. This cuts out a lot of potential zombie/server pairs. If the server that's being used for reflection is someone the victim would often talk to, that's a problem (you'd rather not block connections to Yahoo), but if it's someone the victim doesn't care about talking to (like router23.example.net) you don't mind blocking it. (Also, why is router23.example.net SYNACKing somebody it doesn't know?) But there are probably 20 million web servers or Kazaa or IM clients out there, and probably half of them are on networks that don't spoof-proof, so blocking those is much tougher than blocking the big ones. And next stop - reflection attacks using big domain servers...
Re: Is there a line of defense against Distributed Reflective attacks?
On Thu, 16 Jan 2003, Brad Laue wrote: Having researched this in-depth after reading a rather cursory article on the topic (http://grc.com/dos/drdos.htm), only two main methods come to my mind to protect against it. By way of quick review, such an attack is carried out by forging the source address of the target host and sending large quantities of packets toward a high-bandwidth middleman or several such. To my knowledge the network encompassing the target host is largely unable to protect itself other than 'poisoning' the route to the host in question. This succeeds in minimizing the impact of such an attack on the network itself, but also acheives the end of removing the target host from the Internet entirely. Additionally, if the targetted host is a router, little if anything can be done to stop that network from going down. One method that comes to mind that can slow the incoming traffic in a more distributed way is ECN (explicit congestion notification), but it doesn't seem as though the implementation of ECN is a priority for many small or large networks (correct me if I'm wrong on this point). If ECN is a practical solution to an attack of this kind, what prevents its implementation? Lack of awareness, or other? Doesn't ECN depend on 'well behaved' traffic? In other words, wouldn't it require the hosts sending traffic to slow down? So... even if the hosts slowed down, 10,000 hosts still is a high traffic rate at the end point. :( Also, are there other methods of protecting a targetted network from losing functionality during such an attack? Insights welcome. Brad -- // -- http://www.BRAD-X.com/ -- //
Re: Is there a line of defense against Distributed Reflective attacks?
Because syn cookies are available on routing gear??? Either way syn cookies are not going to keep the device from sending a 'syn-ack' to the 'originating host'. True.. At least it will have some stop in the amount of attacks. It is quite unfortunate that it is impossible to control the 'ingress' point of attack flow. Whenever there is a DoS attack, the only way to drop it is to null route it (the method you have devised) over BGP peering, but that knocks the victim host off the 'net... :-( -hc
Re: Is there a line of defense against Distributed Reflective attacks?
On Thu, 16 Jan 2003, hc wrote: Because syn cookies are available on routing gear??? Either way syn cookies are not going to keep the device from sending a 'syn-ack' to the 'originating host'. True.. At least it will have some stop in the amount of attacks. It is quite unfortunate that it is impossible to control the 'ingress' point of attack flow. Whenever there is a DoS attack, the only way to drop it is to null route it (the method you have devised) over BGP peering, but that knocks the victim host off the 'net... :-( Sure, but this like all other attacks of this sort can be tracked... and so the pain is over /quickly/ provided you can track it quickly :) Also, sometimes null routes are ok.
Re: Is there a line of defense against Distributed Reflective attacks?
Normally that's not very productive as they are mostly owned boxes that will be rebuilt and reowned in days :( I agree, keeping track of the attacks would not be very useful nor helpful. I bet if more ISP's would implement egress filtering on their border routers, it'd help quite a bit. Of course, egress filters don't solve the issue. But considering most script kiddies' intelligence level is limited, it will help at least a bit. :-) The problem with egress filtering is that it's mostly applicable at the end tier2+ level, not at the backbones, which means a lot of ISP's who are oblivious on what it is (or some cases where egress filter breaks their network setup). -hc
Re: Is there a line of defense against Distributed Reflective attacks?
On Fri, 17 Jan 2003 04:29:07 GMT, Christopher L. Morrow said: How quickly is quickly? Often times as has been my recent experience (part of my motivation for posting this thread) the flood is over before one can get a human being on the phone. Once the call arrives and the problem is deduced it can be tracked in a matter of minutes, like 6-10 at the fastest... Yes, but *YOUR* crew has a reputation for having a clue. I'm willing to bet that once the call arrives is a challenge for a lot of smaller ISPs that don't even *HAVE* a security team, and the problem is deduced is a challenge for the ones that have a team that don't have a clue. We see a *LOT* of postings here anybody know a clueful at XYZ, we've been DDoS'ed for 36 hours -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg08027/pgp0.pgp Description: PGP signature
Re: Is there a line of defense against Distributed Reflective attacks?
Good point. I suppose another basic but effective method of prevention would be egress filtering. An increasing minority of network providers are instituting it, but it doesn't seem like it will be a widespread thing in the near-term. Yes, but egress filtering is only effective by far. Anyone can forge the source to an IP address that belongs to one of the /16's a provider advertises. It will help of course, but really not The solution... Or is there one? -hc
Re: Is there a line of defense against Distributed Reflective attacks?
On Fri, 17 Jan 2003 [EMAIL PROTECTED] wrote: On Fri, 17 Jan 2003 04:29:07 GMT, Christopher L. Morrow said: How quickly is quickly? Often times as has been my recent experience (part of my motivation for posting this thread) the flood is over before one can get a human being on the phone. Once the call arrives and the problem is deduced it can be tracked in a matter of minutes, like 6-10 at the fastest... Yes, but *YOUR* crew has a reputation for having a clue. I'm willing to We appreciate the kind words :) bet that once the call arrives is a challenge for a lot of smaller ISPs that don't even *HAVE* a security team, and the problem is deduced is a challenge for the ones that have a team that don't have a clue. This gets down to something I've harped on for a while now... if you drive a car you must have a license and pass a test. If you run a network on the internet you really should have 24/7 security clued person(s) available to stop/track/mitigate security issues. We see a *LOT* of postings here anybody know a clueful at XYZ, we've been DDoS'ed for 36 hours Yup, and its a shame that that is the case :( Perhaps they should become UUNET customers and then they can just call us? :) People move for cheap bandwidth alot, I wonder how the value proposition works out when you are down and paying SLA's to your customers due to a hosted dalnet server getting attacked for 36 hours?
Re: Is there a line of defense against Distributed Reflective attacks?
My previous experience with UUNET security team was excellent dealing with DoS. I am not here to point fingers, but my DoS-response experience with various Tier-2/3 level ISP's was like talking to some K-12 teacher who barely knows what internet is. It really takes hours to get thru and reach a competent engineer on the phone. And that's the major frustration of a LOT customers getting DoSed/DDoSed/DrDoSed off the planet everyday. -hc [EMAIL PROTECTED] wrote: On Fri, 17 Jan 2003 04:29:07 GMT, "Christopher L. Morrow" said: How quickly is quickly? Often times as has been my recent experience (part of my motivation for posting this thread) the flood is over before one can get a human being on the phone. Once the call arrives and the problem is deduced it can be tracked in a matter of minutes, like 6-10 at the fastest... Yes, but *YOUR* crew has a reputation for having a clue. I'm willing to bet that "once the call arrives" is a challenge for a lot of smaller ISPs that don't even *HAVE* a security team, and "the problem is deduced" is a challenge for the ones that have a team that don't have a clue. We see a *LOT* of postings here "anybody know a clueful at XYZ, we've been DDoS'ed for 36 hours"
Re: Is there a line of defense against Distributed Reflective attacks?
On Thu, 16 Jan 2003, hc wrote: Normally that's not very productive as they are mostly owned boxes that will be rebuilt and reowned in days :( I agree, keeping track of the attacks would not be very useful nor helpful. I bet if more ISP's would implement egress filtering on their border routers, it'd help quite a bit. Of course, egress filters don't solve the issue. But considering most script kiddies' intelligence level Egress filters are a distraction... today you don't have to spoof. These are the red herring of 'security'. THOUGH, all that said, having all networks, CUSTOMER NETWORKS, filtered as close to end systems as possible would be a nice thing :) As Rob Thomas points out 80% (or some huge number) of attacks are spoofed source attacks. Every leaf network should be able to do the minimum urpf strict on all ether or gig link... that way you don't even have to take the hit of a acl to process the inbound traffic :) This is most definitely best done as close to the end machines as possible though, the traffic loads there are just much more managable... and it reduces the possible spoofage to the lowest limit possible. is limited, it will help at least a bit. :-) The problem with egress filtering is that it's mostly applicable at the end tier2+ level, not at the backbones, which means a lot of ISP's who are oblivious on what it is (or some cases where egress filter breaks their network setup). Hmm, but the smaller the network the easier to filter it is... right?
Re: Is there a line of defense against Distributed Reflective attacks?
On Fri, 17 Jan 2003, hc wrote: Good point. I suppose another basic but effective method of prevention would be egress filtering. An increasing minority of network providers are instituting it, but it doesn't seem like it will be a widespread thing in the near-term. Yes, but egress filtering is only effective by far. Anyone can forge the source to an IP address that belongs to one of the /16's a provider advertises. filter close to the end host, this limits (mostly) to the local /24 or /25 or /2(5)... It will help of course, but really not The solution... Or is there one? haha, there isn't one :( since even with no spoofing you can muster an army of 100,000 IIS servers still scanning for nimda :(
Re: Is there a line of defense against Distributed Reflective attacks?
According to hc [EMAIL PROTECTED] Of course, egress filters don't solve the issue. But considering most script kiddies' intelligence level is limited, it will help at least a bit. :-) The problem with egress filtering is that it's mostly applicable at the end tier2+ level, not at the backbones, which means a lot of ISP's who are oblivious on what it is (or some cases where egress filter breaks their network setup). On the subject of help a bit, if service providers were to require, by default, either an egress filter (correctly configured) on the CPE router or an ingress filter on their own customer aggregation router it might do some good ... Cheers. -travis -hc
Re: Is there a line of defense against Distributed Reflective attacks?
On Fri, 17 Jan 2003 00:03:56 EST, hc said: It will help of course, but really not The solution... Or is there one? In this industry, anybody who advertises The Solution should automatically be considered a snake oil salesman. There's no One Great Answer, because there's more than one question. There's a LOT of things that would help: Ingress filtering Egress filtering Clued incident response teams Systems not shipped insecure by default. etc etc etc. You've heard them all, I've said them all, they all address parts of the problem. Nothing addresses all of it. Ingress/egress filtering would help in some cases of a DDoS packet flood. Ingress/egress filtering doesn't do squat when Nimda is on a burn. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg08035/pgp0.pgp Description: PGP signature
Re: Is there a line of defense against Distributed Reflective attacks?
On Thu, Jan 16, 2003 at 08:48:03PM -0500, Brad Laue mooed: By way of quick review, such an attack is carried out by forging the source address of the target host and sending large quantities of packets toward a high-bandwidth middleman or several such. One method that comes to mind that can slow the incoming traffic in a more distributed way is ECN (explicit congestion notification), but it doesn't seem as though the implementation of ECN is a priority for many No. ECN is, first and foremost, an optimization for TCP so that it doesn't have to drop packets before cutting its rate back when there's congestion in the network. A zombie or malicious host would just ignore the ECN bit - and the attacks you're describing never reach the point where a host's flow control is involved. You might be thinking of source quench, but that's really not an option with today's networks. Some other conventional alternatives have been discussed already (ingress/egress filtering, etc). Some less conventional options: [Warning: Some researchy stuff ahead] a) Mazu and Arbor provide products that can detect and optionally shape traffic to avoid DDoS attacks. Must be installed in-line to shape, and can't (AFAIK) shape at really really high line speeds. But for reasonable things like, maybe gigabit and under, I think they can provide pretty reasonable protection. Don't quote me for sure on the rates. b) Ioannidis and Bellovin proposed a mechanism called Pushback for automatically establishing router-based rate limits to staunch packet flows during DoS attacks. [NDSS 2002, Implementing Pushback: Router-Based Defense Against DDoS Attacks] c) I stole some ideas from a sigcomm paper this year (SOS: Secure Overlay Services) to propose a proactive DDoS resistance scheme I term Mayday. The basic idea is that you pick some secret attributes of your packets - destination port, destination address, etc. - and only allow packets with the right values through. You then tell that secret to someone like Akamai, and have them proxy all requests to you. Then you ask your upstream to proactively deny all packets without the magical values. http://nms.lcs.mit.edu/papers/mayday-usits2003.html It's a little weird, but I'd be willing to bet that one of the big overlay providers like Akamai could actually pull it off. The advantage of this approach is that you can implement it without fixing the whole world, unlike egress filters. The downside is that you need someone with lots of nodes. I'd be interested in hearing folk's comments about the mayday paper, btw, since I have to babble about it at a conference in a month. ;-) -Dave -- work: [EMAIL PROTECTED] me: [EMAIL PROTECTED] MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.
Re: Is there a line of defense against Distributed Reflective attacks?
At 12:00 AM 17-01-03 -0500, [EMAIL PROTECTED] wrote: nsp-security now has 277 members and gets many of these warnings and alerts. For further details: http://puck.nether.net/mailman/listinfo/nsp-security -Hank We see a *LOT* of postings here anybody know a clueful at XYZ, we've been DDoS'ed for 36 hours -- Valdis Kletnieks
Re: Is there a line of defense against Distributed Reflective attacks?
On Fri, Jan 17, 2003 at 01:11:14AM -0500, David G. Andersen mooed: b) Ioannidis and Bellovin proposed a mechanism called Pushback for automatically establishing router-based rate limits to staunch packet flows during DoS attacks. [NDSS 2002, Implementing Pushback: Router-Based Defense Against DDoS Attacks] I should have been a bit more accurate here. The proposal for pushback is actually earlier than the implementation paper I cited above: Controlling High Bandwidth Aggregates in the Network. Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker. July, 2001. and it also included an internet-draft: http://www.aciri.org/floyd/papers/draft-floyd-pushback-messages-00.txt I believe that Steve Bellovin gave a talk about it at NANOG 21: http://www.research.att.com/~smb/talks/pushback-nanog.pdf -Dave (I'll learn not to send mail past midnight some day) -- work: [EMAIL PROTECTED] me: [EMAIL PROTECTED] MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.