North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Government scrutiny is headed our way
- From: Alex P. Rudnev
- Date: Wed Jun 17 11:54:04 1998
> 1. Is the network provider "next in the chain" a large national
> concern in the United States?
> 2. If yes, don't bother wasting your time. You will be told one of:
> a) We don't know what you're talking about <click>
> b) We'll contact security (two hours later, after the attack
> is over and is no longer traceable, they call back)
> c) What's your customer number? Oh, you're not a customer?
> Sorry. <click>
Sometimes, they (quickly) filter out this attack. Through I did not hear
about any successfull tracing.
> 3. If no, you will be told one of:
> a) We don't know how to trace that <click>
> b) The source address isn't ours, sorry, we can't help you
> I have yet to have *ONE* Smurf attack, even ones which go on for an hour
> or more, successfully traced back to the source. At some point in the
> chain before you get to the source you WILL get one of the above answers.
> This is why the government needs to get involved and *demand* that the
> ability exist via a *protocol* for people in a NOC to initiate and follow
> these traces automatically, without human intervention by the NOCs in the
> What I would love to see is:
> "trace-smurf <forged-victim-address> <amplifier-address>" <return>
Should you plan to have the distinct sintax for the any kind of attack?
The main issue is to be able to trace PACKETS by the known SRC or DST
address and of the known type. It can be something like
- where the packets TCP,SYN,DST=xx.xx.xx.xx are coming from?
- where the packets ICMP,ECHO-REQUEST,SRC=xxx.xxx.xxx.xxx are
Both cases SRC or DST address is YOUR OWN ADDRESS, and it allow you to
ask such questions (and prevent you to ask anything about MY
internal traffic, for example).
If you'll develop anti-smurf system, you'll got SMERF attack and so on.
THe most important security hole for todays is the possibility to fraud
addresses, and this is complicated by those attacks when the packets
frauded are not packets destined to your personally, but the packets with
frauded SRC address (replaced to YOUR address).
If you can ask the global INTERNET: _this xxx.xxx.xxx.xxx is MY address;
where are the packets with this SRC or DST /of the known type/ are coming
from - the task is solved, and any attack can be traced (and may be -
blocked by the same way) in a 5 minutes.
> The trick is that you don't have to call anybody, and you can execute a
> trace in a few seconds to a minute tops.
> Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin
> http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV
> | NEW! Corporate ISDN Prices dropped by up to 50%!
> Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS
> Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost
Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)