North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Government scrutiny is headed our way
- From: Karl Denninger
- Date: Tue Jun 16 16:50:35 1998
On Tue, Jun 16, 1998 at 12:58:12PM -0700, Curt Howland wrote:
> *You* may wish to make your life more convenient by bringing
> government force into your relationship with other network
> providers, why by what divine right do you get to impose your
> convenience on others by force?
Uh, I am imposing that same force on myself, if the "bad guys" are on my
network and someone needs help from us.
What I'm doing is asking for the government to start holding people
accountable for attractive nuisances, including vendors of equipment
who do nothing about tracability of this kind of attack.
> Just go ahead and filter the offenders. When their customers
> cannot reach your services, or their server customers get
> contacted by your customers about the policies of their ISP,
> either they will change their policies or they will loose
> It is MUCH more effective to guide business policies by the
> lure of money than by the gun. Each and every network service
> I have worked for has, once the benefits of cooperation were
> pointed out to them, changed their tune.
1. There is zero excuse for people allowing non-verified traffic in
from dial ports. Zero. Its a trivial filter to implement on any
RAS box on the market today, including some VERY old ones. If you
filter only to the level of what COULD be legal (ie: the pool
addresses on the device) that's good enough - it stops the spoofed
denial of service attacks. Further, there is no bandwidth or CPU
consumptiojn argument on these connections which can be made.
This is pure LAZYNESS and nothing more - period.
This also applies to the cable modem people, the ADSL people, etc.
The only thing in the way of doing this on dedicated lines is
reasonable automation (since people on dedicated lines might
have their own address space, etc).
MOST large ISPs do NO verification on inbound dial packet streams.
2. There is even less than zero excuse for a "fuck you" response from
a NOC when you call them with a denial of service issue. Yet this
is what we, all too often, get, along with a refusal to transfer to
a manager and in some cases, a refusal to give the employee's NAME!
The first thing these guys want is a customer ID; don't have one,
go straight to hell.
This happens ALL the time. In fact, it happens so often that its
basically a waste of time to attempt to try to trace an active Smurf
today, because the big guys WILL stonewall you.
3. Many of these providers sell "burstable" circuits. They CHARGE
MORE to customers when they are abused as smurf amplifiers. Thus,
there is a hell of an incentive NOT to do anything about the problem,
as bits are bits when it comes to this issue. Now if you bitch
they'll remove the charge I'm sure, but how many people won't catch
it, especially on DS1s and frac T3s?
4. CISCO and other vendors have NOT stepped up to the plate with an
EASY protocol-based way to trace these things. The bottom line is
that the users haven't demanded it because its a "not in my back
yard" type of problem, and the people who's back yard it IS in (and
who are spending the most money with CISCO and friends) are not
motivated to fix it.
5. It is the smaller provider and customer who gets hurt by this.
We can survive 99% of all smurf attempts without damage. Our T1
downstream customers? They're screwed. A T1-connected ISP?
They're screwed as well. We don't get flooded off the network
when it happens, which is why a "bounce at the border" strategy
works for us.
IT DOES NOT WORK FOR OUR CUSTOMERS, AS ONCE IT GETS TO THEM THE LINE
IS CONSUMED AND TOSSING THE TRAFFIC IS POINTLESS!
6. Since you need significant bandwidth to BE a good smurf amplifier,
guess who makes the "best" ones? Big ISP's internal infrastructure
points, and fat-pipe (ie: DS3+) connected organizations. The DS1
connected guy is a poor smurf source, since you need a lot of them
in concert to hurt significant ISPs badly these days.
Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV
| NEW! Corporate ISDN Prices dropped by up to 50%!
Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS
Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost