Posted by
ryuzaki0
on from the this-is-gonna-get-interesting dept.
ebresie writes "Here's an interesting article about a new technology that is being developed by the IETF. It's being called itrace. This is basically an ICMP Traceback Messages." There's a lot in this to think about.
Well, not every single packet, just every one out of 20,000. So in essence it only alows tracing of people sending thousands of packets. But then again, it's random so there is always that chance....
Re:Can't stand the name "Itrace"
by
ADRA
·
· Score: 1
The I stands for Inverse. Do some research, thank you.
-- Bye!
Comparison with other traceback ideas
by
Krellan
·
· Score: 1
--
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Cool. This research was mentioned here before.
by
Nygard
·
· Score: 2
I thought that the work sounded familiar. Stephen Savage, who was quoted in the article, has been seen here before.
I remember being very impressed as I read his paper. His key realization is that not every packet needs to be traced. With a large number of packets, only a tiny fraction need tracing information. Yet, the target of attacks (who is receiving 10^6 packets a day) can build an accurate picture. Brilliant.
-- "Genius may have its limitations, but stupidity is not thus handicapped." --Elbert Hubbard (1856-1915)
This will help prevent things similar to the attack on kuro5hin.
I thought the attack or kuro5hin involved flooding the submission queue. Since submissions are presumably made using TCP connections, they can't be made using spoofed IP addresses, so itrace would not be helpful.
Funny, I don't recall seeing an amendment guaranteeing you a "right to privacy."
I seem to remember something about unreasonable search (and something else which I can't spell and isn't relevant to this point). Isn't that essentially a right to privacy?
Hello? This is the IETF, not the government. Itrace would only be implemented by people setting it up on routers they own or operate. Some people seem to be under the impression that because the government cannot infringe on their free speech or privacy, their ISP must let them do whatever they want.
Re:Goodbye anonymity - not exactly
by
Quietust
·
· Score: 1
Actually, it IS possible to IP spoof with TCP, though it's rather difficult to do anything. You basically send a TCP SYN to some site spoofed as coming from an IP that's not going to respond (and result in the connection being refused). You then assume the server is going to send a SYN/ACK, so you wait a bit and then send an ACK and poof, the connection is established. The only thing you can do from here is send information TO the system, since any information the system tries to send you will be sent into oblivion (a non-existant system), but this could easily be used to buffer overflow a system and either crash it OR prepare it for being hacked. Which is why these itrace packets might be useful for TCP as well as UDP/ICMP/any other IP-based protocols.
-- Sig (120 chars) -- Your friendly neighborhood mIRC scripter.
-- * Q
P.S. If you don't get this note, let me know and I'll write you another.
Well obviously... But that's impossible to defend against. You need to find the source of the DoS, and then contact them, and get them to find out how the attacker is using their box.
Re:One example where anonymity is really needed
by
Sly+Mongoose
·
· Score: 1
I completely agree that there are legitimate uses for anonymity. But I can't think of any legitimate reason for spoofing your IP address.
Maybe I'm just dense, but it looks to me like the Itrace proposal in no way compromises anonymity, but instead defeats (or tries to defeat) IP spoofing. And I can not see any good reason why this should be considered a bad thing.
3. Well when she script kiddies use certain distributed flood tools, they initiate the DDos attack by sending a few spoofed packages to the *infected* machines. Wouldn't it be interesting to trace the actual culprit as well, instead of just the victims?
-- In a society that believes in nothing, fear becomes the only agenda ~ Bill Durodié
First of all, if you read the article, only one in 20,000 packets directed towards a target gets logged. This is hardly every packet. Second, and probably more importantly, the cost of this upgrade in equipment and deployment is immense and is certainly not imminent. It stands to reason that companies with a lot to lose from a drawn out DoS attack would seek to protect their investments by adopting a technology that protects themselves. This type of protection is necesary if the fear of this type of attack is ever to be alleviated though. Perhaps a better alternative to tracing all the way back to the source might be the end station notifying routers along the routes it knows that this attack is taking place, and the routers could simply refuse to forward the packets from this source for a specified period of time. Think of it as a sort of anti-DoS protection that secures anonymity. Once again, this would be very costly to implement and is going to find much resistance from anyone who just bought that shiny new Cisco router. Perhaps an IOS upgrade could be done to achieve this without requiring new routers...
For all the peoplw who whine about 'privacy'. There was never any guarantee on the internet htat people couldn't trace where packets were coming from. The fact that IPv4 allows forged source addresses... well.. there was simply no need to check them.
Why would people have a problem with this? It means if you send spoofed packets, the routers along the way can *still* figure out where the hell it came from (instead of having an admin at each hop do the trace manually).
It's already in the specifications
by
AshPattern
·
· Score: 3
A friend and I were trying to figure out how to trace the DoS attacks ourselves, so I came up with an idea - why not use some of the unused space in an IP header to store the ip address of the edge router? With that system, the evil Cruft couldn't send a single packet without having a real ip attached to a geographic location.
We were going to write an RFC and become famous.
Then we found that it was already covered in an RFC, already in the IP protocol as the "Loose Source and Record Route."
Force router companies and ISPs to use that particular header option, and the whole accountability problem is solved while preserving anonymity.
Re:It's already in the specifications
by
Animats
·
· Score: 2
That was considered, but has the problem that an attacker can generate packets with phony route recording info already present, preventing the addition of new data.
Re:It's already in the specifications
by
ippie
·
· Score: 1
Why should an ISP be so polite/lazy/dumb/.... not to alter the route-info, only on edge routers I mean ?? This option looks very nice to me !!
Re:Goodbye anonymity - not exactly
by
Andrew+Cady
·
· Score: 1
If you only send a few packets like a normal human being you won't be particularly traceable. On the other hand, a massive download is going to be quite traceable and therein lies and important question from the point of view of anonymity.
FALSE. Even ONE packet is going to be tracable, unless you're using IP spoofing. Furthermore, IP spoofing can ONLY be used to SEND information, not to RECEIVE it (and thus, NOT to "download"). You see, when you are downloading, the server is sending you data. In order to send you data, it needs to know where you are. Thus, you tell it your IP.
IP spoofing can ONLY SEND information. Its only use is ping flooding. It can't be used for HTTP (web sites), FTP, NNTP (newsgroups/USENET), SMTP or POP3 (email), or anything especially useful I can think of. All of the protocols listed above use TCP, which requires a two-way flow of information (TCP is based on *connections*, which require information to flow both ways -- they will NOT allow you to be anonymous, unless you have an anonymous proxy. Anonymous proxies are unaffected by ITRACE).
I'm of two minds about it. On the one hand, I am a big supporter of the principle that the only way to gaurantee freedom of speech on the net is to have technologically-enforced anonymity.
Well, the internet does NOT have that right now. There is NO way to receive information anonymously, on the internet. The only thing you can do is SEND it, and even then, the fact that you're sending it is ALREADY OBSERVABLE, it's just not being LOGGED.
ISPs can solve the spoofing problem RIGHT NOW with tools available today: egress filtering. The ISPs I run have egress filtering on ALL routers (border and internal) so not a single internal host can send a packet unless the source address is at least within the same subnet. Makes more sense to me than inventing another ICMP standard which requires all router manufacturers to update their software, and all ISPs to upgrade to the newer software.
And countries can solve the DOS issues by better educating their pupils. Easier said than done. Try to reach each and every tech which ever had configured a router, and explain him.
I know but the itrace solution requires every tech which ever had configured a router to upgrade that router anyway, which leads me to my point that there IS a better solution out there, that can be used already, but nobody is, so why waste time inventing a new one, that is not as effective and even less likely to be implemented?
I take your point but it's natural in the course of things for routers to be replaced with newer ones and/or the firmware to be upgraded.
The problem with any 'education based' approach is that there are always newbies coming along that need to be taught. Barring some scheme which encourages them to learn fast (like, say those for mail relays and broadcast amplifiers) such efforts are usually doomed to failure. Evolution just doesn't work that fast;)
A system that needs no configuring, and can be turned on by default in new boxes, is a winner in the long run. Also as IPv6 appraches, we can be sure a lot of router upgrades are on the way.
Without IP spoofing, attacks like smurf become impossible. The only way you can DoS a site when your IP can't be spoofed is via a direct flood of traffic. Sure, you can coordinate the attack between several compromised systems, but without amplifiers such as with smurf, it's considerably less effective, and you announce the IP of every one of your intermediaries in the process, which means it'll probably be unusable as soon as the complaint gets back to the owners.
I agree but does that solve anything where DoS is concerned? I don't think it will. Offcourse there will be enough weenies who suddenly get very nerveous about the idea that their real IP adresses can be traced. But so what? There are a dozen free ISP's out there which you can use. If one account gets traced use another! And then there is the tracing. I don't believe that a server which has been hacked to install a DoS exploit will be capable of reproducing logs which lead to the attacker. Incapable if the rootkit used by the kiddie fixed that offcourse. Personally I strongly doubt if those kiddies are capable of manually removing these traces in the logfiles.
I could not tell it better. Thanks for bringing some light on that privacy whining. Funny how the whining people just complain to their ISP when their ISPs are under attack, but they certainly dont want any new technology to solve that problem, in the name of "privacy". Yeah, you need to give some of your privacy away if you wish to also get a way to trace back abuses to the source.
Every time I log on to my ISP I'm assigned a different IP address and I'm willing to bet that they don't keep a log of these.
How much are you betting? I could make some easy money here:)
Email your friendly ISP and ask them what connection details they keep, and how long they keep them. Hint: Your username & the IP assigned to it, date, time, and connection time, are all part of it...
Most decent dialup hardware is 100% digital anyway, so you have equipment sitting on ISDN lines capable of answering ISDN calls but serving up analog connectivity as well, so ALL calling numbers are available and can be logged or used in the fashion you mention. This level of logging is a common practice among most responsible ISP's.
I have never been bothered by a cop in NY. But then, I'm white and don't skateboard.:rolleyes:
Seriously, if you don't like it, move. Personally I'm GLAD that crime in NY has gone down so much. The racial profiling certainly needs to be toned down a GREAT deal (Diallo is a tragic example of this), but other than that I have no complaints about the NYPD.
Thank you.
4920616D206E6F7420656C6974652E Remove the obvious to email me.
Hey, you're welcome. I sorta got tired of having a 60+ Karma rating.. I've managed to drop it down to like 30 or so within the course of just a few days just for fun.:)
Bowie J. Poag
-- Bowie J. Poag
Re:egress filtering - Totally right
by
cHeWt0y
·
· Score: 1
Rolling out itrace would be a lot easier than setting up egress filtering for many medium sized ISPs - as when you provide transit for other providers the access lists required can quickly grow very large - and can fluctuate regularly, so just keeping them maintained can be a tough job. Itrace would probably just mean typing "service itrace" on a cisco and then keeping half an eye on the logs.
I work in the industry and it scares me when I talk to the techs at other companies and they have no idea how their network works - they've just cobbled it together from other people's suggestions without any real understanding of why they're doing things...
I wholeheartedly agree that egress filtering is needed to stamp out spoofing though - itrace only gives a method of tracing an attack back once it is underway - egress filtering would mean it would never start in the first place.
If only cisco would enable an optimised easy to configure egress filtering service:)
Seriously now, considering that every packet has a source and destination IP address, adding some instrumentation to verify that source addresses are not spoofed has zero impact on privacy.
It does raise the bar, so the next steps in the cat&mouse game include ever-more-diffuse distributed attacks to avoid more ever-more-watchful intrusion detection and traceback mechanisms. Is that a bad thing? No -- it is a good thing to make successull attacks more challenging.
A little more background reading:
Stefan Savage, Practical Network Support for IP Traceback a technique for tracing, but requires a little packet marking/mangling which makes it unlikely to be adopted. Clever, though, I'm sure some of the ideas will fold into itrace.
Other efforts in traceback involve perturbing the source of floods (e.g. by hop-by-hop reverse flooding) and watching the statistical properties of the flood at each step.
Read/. recently? After a k|dd|3 is in any simple r00tk|t can erase his actions from the logs. If the admin was a dork for letting him in in the first place & firing his DoS without noticing him (remember; I was the one warning them about it) I doubt he is capable to track the kiddie down. Any moron would notice the loss of bandwith IMHO.
I'm not talking about logs (and even so, the percentage of hax0rd boxes that are truly without logs or other evidence of intrusion are probably smaller than you think).
I'm talking about real-time monitoring of network traffic and system usage. If someone's able to track the source of the attack back to a hax0rd system, all the competant admin has to do is fire up a packet sniffer, protected netstat-type utility, whatever, and figure out where YOU are connecting to this compromised machine. Since this connection is unlikely to be spoofed, the source address is guaranteed, and he can proceed to contact *that* ISP. Repeat if necessary.
This seems to be an application of the technology described in that one paper on storing trace information in packets in a backwards-compatible way, that slashdot had a while back. I now can't find the article. Some guy described the whole process of how one could squeeze the information into unused parts of packets.
Re:Spoofed packets aren't always bad
by
johnpc
·
· Score: 1
Actually spoofed packets are useful in not-so-evil manners.
Well, tough. I'm afraid current internet practices of simply disallowing fake source packets will quickly render your protocols unusable.
Note that there are already other ways to send stuff anonymously, for example using onion routers. The freedom program by zeroknowledge uses this technology, for example.
The majority of people don't commit murder. Therfore, there is no need for police.
Right on. I'm sick of all these politicians promising to "put more cops on the streets." This is the last thing we need. The only thing cops do is shoot innocent black people and bother skateboarders in the mall. They have more rights than normal citizens, and can (at least in New York) do pretty much as they please. And there are so fucking many of them.
--
Karma: Good (despite my invention of the Karma: sig)
18 months is too optimistic
by
johnpc
·
· Score: 1
For itrace to become useful, it has to be installed near DoS-ing hax0red boxes, and/or near the script kiddies.
Currently, these DoS-originating locations can stay anonymous if they can spoof their IP address, that is, if the connecting ISP didn't install proper filters to protect against spoofed addresses.
So before itrace can become effective, these already clueless ISPs must be persuaded to upgrade their hardware. These are the same ISPs that currently don't install IP spoofing filters, even though that has been recommended by various organisations for years now.
And given the fact that there are still some remote locations that are so outdated that they don't understand CIDR routing, I expect it to take much longer than 18 months for itrace to become effective against all spoofed IP addresses.
Maybe we should stimulate the major router vendors to give away OS upgrades that include itrace for free:)
No section of the constitution or the US code allows you to form your own militia and claim the right to carry a gun.
So from the tone of this can I correctly infer that you believe the government should take guns out of the hands of law abiding individual citizens? Let's only let the criminals have the guns? Or are you one of the Rosie O'Donnel thinkalikes who believes nobody should be allowed to have guns except you or your body guard?
-- "We are not tolerant people. We prefer drastically effective solutions"
Well - additional IPv6 info is available all over the place - try starting at IPv6.com or the IETF IPNG Working Group. The 6Bone is a network of Internet hosts running IPv6 already, and there's a transition planning working group that's arguing, er, discussing, the transition. UNFORTUNATELY, their schedule/roadmap on the transition planning page ends at March of 2000, with an entry to evaluate the state of their roadmap.
-- I love vegetarians - some of my favorite foods are vegetarians.
The article says deployment of Itrace will take 18 months anyway, so why not put that money and effort into upgrading the infrastructure for IPv6 instead?
IPv6 deployment date is not clear. Could be in 2 years, could be in 10.
Re:Most famous [D]DOS attacks were against Webserv
by
darkith
·
· Score: 1
The majority of infamous DDoS's are against webservers, but don't rely upon the site running a http daemon. A large number of DoS attacks are attacking the host machine and it's TCPIP implmentation, eg SYN attacks, ICMP ping floods being echoed off of subnets. Fixing webservers will not stop DDoS attacks.
I believe (I read the article yesterday) that they mention that a menthod of verifying the iTrace ICMP messages will be developed (some sort of PKI perhaps?)
So now every single packet I send can be traced back to me. If I posted this as an AC, it would be possible for law enforcement to floow the leads back from slashdot all the way to my PC.
Thats scary in itself, but since these DOSers hack into machines that might be on the route, with trce software installed, THEY can also find out who I am. They could even fake those logs to make it look like I was responsible for something I didn't do.
Name one, then abandon TCP and use it to do all the things you do on the internet
Are you trying to make some kind of point here? I simply said that TCP was not essential for a DOS attack, not that you could do everything on the Internet without it.
I don't see how this can work. Every time I log on to my ISP I'm assigned a different IP address and I'm willing to bet that they don't keep a log of these.
They do. I'm sure there are some exceptions, but not many.
That's how they identify people violating their acceptable use policy (spammers, script kiddies, etc).
They are able to track undesirables without the help "itrace" because practically all non-DDoS activity requires legitimate source addresses on the packets in order to complete the TCP three-way handshake.
This attitude always makes me smile a little. People assume that the Internet is currently anonymous and that technologies like itrace will somehow throw that anonymity away. The truth of the matter is, is that currently if you use the Internet in a normal fashion whereby you are receiving data, you are traceable. If you want anonymity then I suggest you use an anonymizer - it's what they're there for.
Also, if you had read the article fully you would have realised that not every packet you send will be traceable - only one packet in 20,000 will cause a traceback message. This means that normal activity is unlikely to cause many traceback messages, whereas a full-on DoS will get spotted easily and be traceable. This is important because if every packet caused tracebacks, then a DoS would be twice as effective (think about it).
And lastly, we come to the fact hackers might be able to spoof tracebacks to make it look like it came from you. Again, if you'd read the article you'll realise one of the technical challenges in implementing itrace is the PKI platform that will have to be built for authentication purposes, to ensure spoofing of these messages is not possible.
You don't really lose anonymity. If you use the internet in a normal way, everybody can trace the traffic you generate back to you because the source ip is in the packets you send. You're never anonymous, whether you like it or not.
If you're doing a DOS attack however, you just replace your ip with a bogus one, and send tons of those packets to the poor target. Since the source ip isn't yours, you're not really traceable ICMP traceback will get you anyway since they they'll find the machine the packet originated from, whether the source IP matches the machine's or not.
The largest problem however is still catching the attacker. Catching a simple cable user will be easy because there is only one person involved. If it involves a machine which is used by multiple users, there is no way to say what user did the attack. The article also states this point. And hacking routers to fake logs? They can do it right now by hacking into your ISP's server machines and change log entries that involve you.
I wouldn't worry too much about your anonymity. Your situation won't get worse, unless you're into DOS attacks, and then still... they found the machine you used, which you might have cracked too...
Maybe even the phone number as well, at least for ISDN connections. I think at least one local ISP even allows ISDN users to pick the phone numbers they can connect from. I think I remember hearing about that when my company was picking an ISP, but I may be mistaken and it may not be available to private customers. --
--
Fuck the system? Nah, you might catch something.
I always withhold my number, and Demon Internet always answer.
Mind you, this is the level of service I expect for my 10 ukPounds a month. I still think my net access is worth paying for.
Incidently, reason I withhold my number is that years ago I had been on the net all night, and about an hour after I disconnected, the phone went. I picked it up (at 4am!), and realised I was being called by a computer. Freaked me out so bad at the time I have always from that point withheld my number, although I'm old and wise enough now to realise it was probably a misdialled fax-call:-)
IP spoofing does NOT work for TCP connections, because data has to be sent both ways to use TCP, and people can't send you data without knowing your IP address
People making a DOS attack generally don't want anything to be sent back! Anyway, TCP is not necessary. There's other IP protocols.
Actually even though we (I work for a middling-sized ISP) keep radius records of users connections and which POP they access from, It's not because of a privacy issue. Sure I've been called out by the State Police to track down malicious email, threats, harrassing websites, etc... But the primary reason is that way when (l)users call up asking how long they've been on for a month, we can tell them. Also, say they claim they stopped using their account the first week, but we have transactions of that account coming from a different area for the rest of the month, we can tell that the account has been compromised.. Trust me, as a net-admin, I have far better things to do than run a tcpdump on each of my Ras-boxen to see who's seeing whom's dirty sites.(That's what my cache server logs are for:)) I'd rather spend my time doing more productive things like a recursive grep through the mail logs and forwarding a copy to the offenders parents/wife/etc.... But seriously Radius logs are usually kept for customers who would be the first to complain.... I didn't even USE the account!!! but this opens up a whole new can of worms
So now every single packet I send can be traced back to me. If I posted this as an AC, it would be possible for law enforcement to floow the leads back from slashdot all the way to my PC.
UHH, slashdot ALREADY KNOWS YOUR IP ADDRESS. You *CAN'T* make a TCP connection without revealing your IP address. IP spoofing does NOT work for TCP connections, because data has to be sent both ways to use TCP, and people can't send you data without knowing your IP address. You never had that kind of anonymity in the first place.
You're obviously not even spoofing your IP, or else you wouldn't have been able to post that. So what are you complaining about?
Re:Goodbye anonymity
by
Anonymous Coward
·
· Score: 1
Umm.... www.anonymizer.com and Slashdot has no idea where what's your IP.
I don't see how this can work. Every time I log on to my ISP I'm assigned a different IP address and I'm willing to bet that they don't keep a log of these. The IP addresses on the other side of the proxy server are in the range 128.10.10.xxx which can't travel across the net anyway. Or am I talking out my a$*e here ?
You're right... However, not many DoS attacks are launched from modems, so it doesn't matter. This is meant to track serious connections that can do real damage in a DoS attack. A 56k ping flood may be enough to piss off some guy on IRC, but it's a drop in the pan to Amazon.com. Most of those serious connections are going to have static IPs.
Also, about NAT (IP MASQ) proxies: in such a case, it's the LAN administrator's problem to track down the internal culprit. But knowing the IP of the NAT gateway is at least enough to get the admin to stop sending out those packets, or to get the courts to force him to do so if he's a prick.
You would be surprised how much information is logged by ISP's.
The one ISP I have intimate knowledge about logged everything from date/time, connection speed, disconnection reason to the NUMBER YOU WERE CALLING FROM.
All of this information is kept strictly confidential, but is IMMENSELY useful when serious abuse incidents arise. If some Joe Hax0r is using the ISP as a throw-away dialup with some fake credit card number, and the Feds came knocking on the ISP's door, they wouldn't walk away empty handed: with the calling ID, they know exactly who the offender is.
I suspect most ISP's have logging of this nature.
I mean hell, for metered access, you've GOT to keep track of dialup usage. Additional information like that is trivial to add to a database, and the benefits are significant.
Thank you for taking the time to beat down those that post without knowing WTF they're talking about... I'm glad someone else has the energy to do it (still)!
Yes, this seems to be functionality that would be implemented in the IOS and not at a hardware level, therefore it wouldn't be very costly (although it could mean a fair amount of man-hours for your Network Admins to implement).
Most of the Free ISPs over here in the UK actually have it as part of the terms and conditions that you have to reveal the number you are dialling from to their dial equipment. If you withhold the number they can refuse your connection.
Right, but that has nothing to do with ITRACE. anonymizer.com is not IP spoofing, it's just HTTP proxying. ITRACE only prevents IP spoofing from being anonymous, not HTTP proxying.
Dude, you can't browse the web using IP spoofing. You *ALREADY* need to divulge your IP to use any TCP service. That includes SMTP/POP3 (email), HTTP (web), NNTP (newsgroups), FTP, IRC, Telnet, Ssh, and *MOST* others. Furthermore, even most UDP protocols send data both ways, and IP spoofing can only be used for SENDING data, not RECEIVING it.
Most people don't use IP spoofing anyway. However, you can always use an anonymous proxy service, such as anonymizer.com. So what have we learned? (1) No privacy has been lost here, (2) you had no privacy in the first place, (3) you can GET privacy if you really want it, through proxying, which ITRACE cannot affect.
A summary of the proposal-doesn't affect anonymity
by
ambclams
·
· Score: 1
As far as I can tell after reading the article and the proposal, this doesn't seem to have any significant effect on anonymity for the most part.
A quick summary of the proposal as I understand it: Routers that supported this feature would after sending a data packet, randomly also send an itrace packet to the destination, containing the previous and next hop. The TTL in the packet would always start at 255, so it would be possible to determine how far back along the path the router that sent the itrace message was. Additionally, there would be an authentication system to ensure the veracity of the itrace packets. The IETF proposal suggests that the chance of a router sending this packet would be about 1/20000.
This doesn't affect anonymity. It isn't possible to determine anything more with this system than you would be able to normally, unless the IP address is spoofed. With a spoofed IP address, you might have a chance of determining the real originating host; with a valid source IP address, such a traceback would likely be available with a simple traceroute. Additionally, the packets are only sent randomly and occasionally, so the chances of a packet being sent are pretty low unless you're sending a lot of packets.
What I'm not sure about, however, is how effective this will be. If the chance of an itrace packet being sent is only one in twenty thousand, how many data packets would need to be sent in order for the destination to receive a complete trace back to the source. Obviously, in most typical DoS attacks, lots of packets are sent. Would this be enough, or would itrace only be effective for the largest DoS attacks?
--
Life is far too important to be taken seriously.
I'm stirring a little, but I get tired of people pouring their bleeding hearts over rights in the internet arena that they lost in other arenas years ago.
Fair enough. Some of us get a little tired of the sheep who decide that a loss of freedom anywhere justifies a loss of freedom everywhere, or who think that the fact that things have gone wrong somehow makes it right that they go wrong. I find it one part funny, two parts sad when I see people scoff at the notion of a "slippery slope"... then make arguments like the above to justify giving up.
Read about a similar idea before.
by
GeekDork
·
· Score: 1
Some time ago, someone at Ars Technica posted a similar idea. I didn't find the artice anymore, but if you have some free time, try and find it as it was very interesting.
Paranoids of the world, unite!
--
Fight hunger. Filet a politician and send him to a 3rd world country of your choice.
Re:Alternative measures
by
Andrew+Cady
·
· Score: 2
Dude, the internet does NOT allow anonymity. In order for you to RECEIVE any information (such as a web page), you need to divulge your address. This is the same principle behind which you must divulge your shipping address if you expect to receive packages. ITRACE doesn't take away any anonymity from average people who don't use IP spoofing. It makes IP spoofing harder. IP spoofing makes the internet worthless: you can't use it to visit web sites, you can't use it to send email, you can't use it to go on FTP sites, you can't use it to telnet, etc. It prevents you from receiving ANY information. It's the electronic equivalent of putting a fake return address on a letter. It prevents two-way communication.
That's why NOBODY but crackers use it, NO operating system supports it natively, and NO protocol works under it. Its only use is cracking.
Furthermore, anonymous proxies -- which are already the only way to be both anonymous and useful on the internet -- are unaffected by ITRACE. NOBODY lost any privacy here, except crackers.
It's unbelievable how many people on slashdot do not understand basic networking principles!
Sounds kinda nice but let me get this right; I'm tracing the origin of the DoS flood. In other words; this will lead me to one of the, in most cases, many servers which are sending me this flood. What good will that do me? Sure, I know which company has a h4x0r3d server and I can tell them that their server flooded me but this won't resolve the issue. C'mon; there are millions of servers out there. If I can trace one and even let them shut it down the script kiddie can have 5 others in no time. Happy tracing!!
No, I've said it before in an earlier post; the only way to solve this IMHO is to let the Hosting providers come together and setup a guideline / rule for all servers being hosted. If they don't meet the security limits its either done for them or bye bye. When these people will stop thinking about money all the time and also give a little bit more consideration to the Net our troubles would reduce enormously.
Instead of contacting the provider of the compromised system and having them shut down the offender, have them TRACK HIM DOWN. With simple network tools they can figure out where the intruder is connecting from and FIND the dickhead instead of just killing the connection, patching up the system and forgetting him.
First of all, the amendment related to guns is the second. Next, that amendment does not give you as an individual the right to own or carry a gun. It gives the states power to arm their militia. By law, this means the national guard. No section of the constitution or the US code allows you to form your own militia and claim the right to carry a gun. This view has been consistantly upheld by the Supreme Court, most directly in US v. Miller, 307 US 174. For a more in-depth analysis, see The Politics of Gun Control, Robert J. Spitzer.
Read Miller again. Miller lost the case because a sawed off shotgun is not a weapon with much military value. There is even some language that infers that 2nd is an individual right.
Also check out US v Emerson which is now before the 5th Circuit. Judge Sam Cummings ruled it an indivual right and it looks like the 5th Curcuit is leaning that way. The whole issue could be before SCOTUS next year.
More than twice as much...
by
Andy+Dodd
·
· Score: 2
If itrace sent one traceback packet for each packet that passed through a router, it would far more than double the effectiveness of the DDoS - For every packet that went from source to destination, a new packet would be generated for EVERY HOP! Of course, this is a moot point, since it's only one out of every 20,000 packets that goes through a router. (Of course, this means that if you have 20 hops, a traceback message will come from somewhere in the route every 1000 packets or so...)
-- retrorocket.o not found, launch anyway?
Re:What stops me from spoofing itrace?
by
pthisis
·
· Score: 1
What keeps a script kiddie from sending spoofed itrace packets implicating every machine on the planet from a comprimised machine?
If you read the article, it addresses this concern:
"ISPs face the cost of upgrading their routers to support itrace, and also the cost of developing the public-key infrastructure required for traceback message authentication. Without fail-proof authentication, hackers can create bogus traceback messages to accompany their denial-of-service attacks."
Just the opposite - The DoS packets are spoofed, because they only need to go one way.
As has been pointed out numerous times in this article before, THIS DOES NOT AFFECT TCP STREAMS! If you have a TCP connection, YOUR IP IS ALREADY KNOWN! You cannot combine spoofing with the ability to recieve data. If you want to remain anonymous, use an anonymizer proxy, which itrace will not affect.
I hope the writer of the article is confused. If you put your trace messages in separate packets, you'll only be able to trace the DOS as far as the relector machines. That's useless -- we know who the reflector machines are already. If you put the trace message inside the packet payload packet, you've got a much better chance of tracing the entire path without having to ask the guy at the reflector machine to get involved.
--
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Re:Alternative measures
by
dingbat_hp
·
· Score: 3
You're falling into the trap of the Politician's Syllogism:
Something Must Be Done
This is something
Therefore this must be done.
Aren't you posting from the UK ? Right now the UK has the unedifying spectacle of a government simultaneously imposing draconian anti-privacy measures in the RIP bill, yet also having their own secrets exposed by "Benji the Binman", owing to their own complete lack of understanding on basic infosec (shred your rubbish).
We already have many defences against DDoS attacks. The best one is installing Clues in the admins of bozo ISPs (not forwarding RFC1918 is a damned good start), but more robust inbound routing helps too (stateful packet inspection still isn't commonplace, yet it kills things like SYN flooding). We can fix this. Sure, It sucks today, but let the geeks work it out and we'll get the holes patched.
So what are you suggesting instead ? Modem Licences, to go with the Modem Tax rumours you recall so fondly from the Net 10 years ago. The infrastructure is flaking, there are too many cluephobes jumping on the ISP bandwagon, yet you want to start beating up on the users ! I'm sorry if AOL doesn't meet your standards of intellectual superiority (are you a Mensa member too ?), but their cash is as good as yours or mine, and they've just as much right to be here.
If I walk into my local pub and behave like a jerk I'll be thrown out. Cross the road and the same behaviour is accepted as normal; different pubs, different communities, different standards of behaviour. How is your "global net access" going to support that ? I don't want Kansas fundies telling me that evolution doesn't work, and they probably wouldn't want me offending their local ordinances either.
Don't like Grits with your Slashdot ? Lets make moderation work better. Virtual Communities are still a pretty new concept, and we're going to have to learn how to deal with the odd Mr Bungle or BeerGuy.
Personally I think an age limit of 32 is about right. Keeps off the people who don't remember uucp and real netiquette. How do you like that idea ? 8-)
This is not an attack on anonymity. Go read the actual IETF draft. You will see that the only thing it helps with is tracing back packets with SPOOFED originating IP's.
This will help prevent things similar to the attack on kuro5hin. Unfortunately, if attackers are using compromised machines, all it will (or can) do is help to quickly find the real IP addresses of the machines that have been compromised. You see, someone doing a denial of service attack right now can cause the servers they are using to output IP packets that look like they are from somewhere else. When those packets arrive at the target, 10 hops later, it is nearly impossible to find the real machines that is causing the attack. That's what this proposal solves.
This has nothing to do with eliminating privacy or anonymity. Every time you connect to a web site now, they can find out the IP address you are coming from. Duh! How else can they send the web page back to you??? If you spoof your originating address, you cannot have a two way conversation.
IP source spoofing is ONLY useful for denial of service attacks, and that is the ONLY thing this proposal addresses.
The so called solutions you are advocating, like restricting access to the net would be far, far worse for invading privacy. Think about it... how are you going to make sure that only "authorized people" use the internet? Well, you will have to identify all of them. With examinations, meeting criteria, getting what is equivalent to an "internet license"... well damn, there goes privacy! Just like anyone who sees your license plate on your car can find out who the car owner is. No privacy there either. Did you think about this?
The IETF proposal is not a perfect solution. You are correct that there probably isn't one. However, it is a good one and 100% better than your suggestion.
Torrey Hoffman (Azog)
-- Torrey Hoffman (Azog) "HTML needs a rant tag" - Alan Cox
I agree that this new proposed system does not really pose a threat to privacy in the net (unless you're a skript kiddie). However,
They're not complaining about the postmark on their snail mail
Just as it is questionable to say that the traditional means of bootlegging music (copying a tape to friends for instance) are similar to Napster, you really shouldn't compare e-mail with snail mail/phone privacy either. Once again it's a question of scale: what you can and cannot do with reasonable amount of effort. In the meat world it's much more difficult to keep track of person's mail and whereabouts and that's why extensive and continuous surveillance has been conducted only on people who are already under suspicion. However, in the net it is much more easy to track a person and -- more importantly -- to do exhaustive searches for suspicious (whatever that happens to mean at the time) correspondence. To my mind this would correspond in real world terms to the authorities opening and reading snail mail at random in order to look for evidence of crime.
I think it is impossible for whoever should enforce this restriction to check on everybodies age or whatever restrictions one can think of. Besides, if they could do that, they would need far more information about you than they can ever get over the net. This alternative is far more intrusive than the original idea.
posted yesterday but rejected...
by
raffe
·
· Score: 1
2000-07-26 09:01:57 The end of ddos? (articles,news) (rejected) posted yesterday but rejected...
I think that the reaction to the alleged "loss" of privacy on the net is a little extreme given the cost that privacy is beginning to create. I can live with people being able, provided it is not *too* easy, to get an idea of what I'm browsing, if it means that I can continue browsing it. If the cost is such that 15-year-old jerks with nothing better to do than get cheap thrills breaking things are taking away the services I want to use, then in my humble opinion, the privacy has come at too high a cost.
I don't like making the tradeoff, but I'd rather have a service that was not completely anonymous than be able to anonymously participate in a medium that has been reduced to complete uselessness.
So routers send ICMP messages about packets they pass on? Well, can't you just flood the target with ICMPs faked itrace-ICMPs, how exactly are the victim supposed to be able to tell which ones are real and which ones are not? And the routers can't really send these itrace-ICMPs about an ICMP, since there is this rule about not sending ICMPs about ICMPs, right?
I think the point the poster was making is that who really cares if it's a valid itrace packet or not. Now, you're flooding a host with invalid itrace packets. Still sounds like a valid DoS to me. Now, the target host, instead of saying, "oh now, I'm being DoS'd by a spoofed IP packet", he'll say, "Alright! Lots of worthless itrace packets that can't tell me anything and I'm in the same boat and it's still chewing host CPU to process them." I'm sure they'll all do a nice song and jig to rejoice that they spent the money on a worthless upgrade so they can do it all over again on IPv6.
This is nothing but a complete waste of time, energy, and money. They need to get off their butts and start an IPv6 roll out. That's what it's there for. That's what it's designed for. Let's get the IPv6 guys to get over their egos so they can do what they are supposed to be doing and get IPv6 rolled on out the door!!! Greg
All we need is changing the way servers work...
by
marat
·
· Score: 1
Discarding all incomplete requests can solve most problems. One packet is enough for almost any http request. Oh yeah I know there're long cgi-bin requests but these could be handled somehow different.
Every secretary using MSWord wastes enough resources
Re:What stops me from spoofing itrace?
by
Azog
·
· Score: 3
The itrace packets will have an authentication section. Read the ietf draft, it explains some of the possibilities.
At any rate, spoofed itrace packets will be detectable.
Torrey Hoffman (Azog)
-- Torrey Hoffman (Azog) "HTML needs a rant tag" - Alan Cox
I am not an ISP or have experience in any of these ways, but is it possible to perhaps have a hostname alias that the ISP attaches when you connect on that will allow for better tracking of dialup accounts? Say something like:
john_doe.dialup.isp.com
which can/and would only be assigned by the ISP.
For that matter, can't they tell who is dialed in at any particular time, presuming they are logging all the appropriate information?
At least with names consisting of "i"+$propernoun (like "iMac"), while they violate every convention of capitalization in English, that odd capitalization at least gives some clue as to their pronunciation. Have we really devolved to the point where any word that appears on the internet that has an "i" in front must be pronounced with a long "i" separate from the rest of the word? Didn't someone realize that this coopts the single most used word in the English language in the process and renders it a mere idiot prefix? At least when companies did this with "super", that was a normal adjective.
--
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Please. You'd just step back to the days of wardialing and hacking accounts again, that's all. I actually used to PAY for a shell account that had to be accessed over a hacked link, due to no local dialups 10 years ago. People WILL find a way. Sript kiddies will dust off ToneLOC and be back on the net, probably before you or I finished our licensing tests. There is no perfect solution, to be sure, either we give up some privacy, or, as you say, get licensed.
Problem with getting "licensed", is that we'll have to give up MORE information that way anyhow. Aside from the enforcement angle, making sure that everyone on the net has their proper license, it would get real messy real fast, end up with the worst of both worlds.
The 6Bone already exists, and is being used to hammer on the protocol and work out the kinks, plus figure out how to let v4 and v6 coexist.
That crisis point you talk about is coming - just wait until all those new top level domains come on line and folks start realizing we're almost out of IP addresses (and given the trend of new IP allocations, we're lucky if IPv4 lasts another 24 months). IPv6 isn't something ISPs and the backbone will move to voluntarily (with a few farsighted exceptions) - it's going to be one of those gun-to-the-head-of-the-business situations that makes life so enjoyable for us spectators.
-- I love vegetarians - some of my favorite foods are vegetarians.
Not only is that completely unethical in my opinion, but also unconstitutional where I come from.
"there is a lot of offenisve [sic] material out there that we don't want our kids seeing" - Speak for yourself, buddy.
"to people mature enough to take responsiblity for their own actions" - I know plenty of people over 18 who don't fit this mould.
One example where anonymity is really needed
by
rxmd
·
· Score: 1
Maybe you would like to hear an example where anonymity really is a good idea.
I am, among other things, a student in Islamic Studies in Germany. We have had students who worked in the Middle East under really weird circumstances; for example, there was one in the early nineties who wrote her Magisterarbeit (you'd call it a Master's Thesis) on the internal structure of Palestinian Islamist terrorist organizations. Back then, the internet practically did not exist down there so she communicated back home from public phone booths using a scrambling device. For our students who are there now, I set up an anonymous remailer that I can trust (because I happen to administer it) in our student organization's office, and they communicate happily, heavily using nyms, remailers and PGP.
For these people, any loss of anonymity (such as a "where did these packet originate" solution) means a serious risk to their lives, while their activity is not at all illegal - it's perfectly ordinary scientific research.
So if I pour my bleeding heart every now and then about my rights in the internet arena, it's because I am perfectly conscious that I need those rights (or friends of mine). There are applications where anonymity is a necessity, and these are not necessarily illegal.
Apart from that, I am a little sensitive to statements like Don't do illegal things, and you'll be able to do without the rights that we are depriving you of. May have something to do with my home country's history over the last couple of centuries.
-- As a state gets corrupt, its laws multiply; the most corrupt states have the most numerous laws. (Tacitus, Annales 3:27)
Re:One example where anonymity is really needed
by
nlvp
·
· Score: 1
Agreed, but if the anonymity is being abused to the point that services are being taken down, then a tradeoff has to be made. Perhaps that means that a few people can't write theses on the internal structure of terrorist organisations, and I'm sure there will be other repercussions too, but there's a cost and a benefit, and if the benefit of privacy results in the cost of making the internet extremely vulnerable to 15-year olds with a lack of sense, then I'm sorry, I still opt for a way to shut them down.
The argument in the bottom of your message, in italics, is not at all what I am saying. What I am saying is that the abuse of our rights to the point where the cost becomes unacceptable should lead to questions about what can be done to limit the abuse of those rights. The problem is that limiting abuse of rights is very difficult in an internet we have no way of policing, and therefore any approach to limit the damage of that abuse is going to cause collateral damage to the rights in question.
Just because someone wants to write a thesis on a terrorist organisation doesn't mean my ISP should be made vulnerable to script kiddies. If that's the tradeoff, then I vote they change thesis. If it isn't, then let's think of a way to stop them that doesn't result in measures of this kind.
Re:One example where anonymity is really needed
by
Abigail
·
· Score: 2
For these people, any loss of anonymity (such as a "where did these packet originate" solution) means a serious risk to their lives, while their activity is not at all illegal - it's perfectly ordinary scientific research.
To perform any meaningful communication, one has to know where a packet came from, otherwise, one cannot reply. Any valid TCP/IP connection is one where both ends know the address of the other end. I cannot see why your students need to send out untraceble IP packets - there's no service that works that way. As for an anonymous high level protocol, like mail, your implemented solution isn't effected by it. Currently, the receiver of the anonymized mail already has to know the address of your remailer - otherwise you won't be able to build an SMTP connection. But that's where it stops - and that's where itrace would stop as well, as that's the end-to-end connection being made.
Sheep huh? Cheap emotional argumentation, although I also was guilty of that.
We keep saying that the internet is great because it creates the free flow of information. The nature, destination, source and size of that information is just more information, which, if the means can be created, can just as freely be collected by individuals.
People protect Napster because it's something that allows information to flow even more freely - good, it's a valid argument and I will defend that argument. But the creation of technology such as this is merely the same kind of development, but the nature of the information is different. Instead of enabling the infringment the rights of people who make music/films/software/whatever, it enables (nothing more, after all it's what you do with it that counts, the makers of the technology can't be held responsible can they?) the infringement of the rights of people sending packets of data.
I think it's hypocritical to say that the internet is great because it allows the free-flow of information and data across the world and then to impose limits on that data flow when it relates to stuff we'd rather wasn't shared. I'm sure the musicians feel the same way about Napster, Gnutella, Scour, MP3.com and all the others.
Funny, I don't recall seeing an amendment guaranteeing you a "right to privacy."
Ninth:
The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.
What you may be unaware of is the fact that there were many people who argued against the Bill of Rights for the very reason you've illustrated: they claimed that it would have the result of effectively restricting what Rights were actually protected because they didn't name them all (After all, in their view, Rights are intrinsic, they can't be granted, they can't be taken away. Everything else is privilege). Amendments 9 and 10 were written to counteract this, but I'm not so sure this was effective. After all, how many cases do you know of that reach the Supreme Court under 9th and 10th amendment claims? They may be there, but they are certainly overlooked by the public.
--
ufdraco
"All we need is changing the way servers work"???
by
rxmd
·
· Score: 1
There are thousands of different servers for different applications out there. Do you seriously want to change the way they work?
Just because HTTP requests are short in most cases does not imply that there is no request-oriented non-DOS service active out there on the Internet that actually uses requests of more than one packet in length. (One might also say "HTTP is not the world" or "The Internet is good for other things than web browsing".)
-- As a state gets corrupt, its laws multiply; the most corrupt states have the most numerous laws. (Tacitus, Annales 3:27)
Anything else would be like not installing airbags in cars, but instead threatening drivers that cause accidents with more severe punishment. I disagree. We end up with a fairly ludicrous situation at both extremes.
Extreme 1 - You drove 1 cm closer to the side of the road than was neccesary. The sentence is death! Extreme 2 - All cars are filled with and surrounded with padding. It obscures your vision, but it prevents tehm from doing any harm to the driver, other drivers, and pedestrians, so it doesn't matter.
In practice, we have a level in between. Cars are fitted with seat belts, but its illegal to go faster than x mph, and to drink more than y. Its a reasonable compromise.
you lie about your ip address (that's called spoofing). A simple traceroute will give the same information if you don't spoof your ip. If you spoof your ip, the server you are connecting to can't send anything back to you since it doesn't know where to send it.
you send massive amounts of data. The itrace message is only sent for every 20000 packet. That is flooding.
Itrace will only give useful information about users who are abusing the flaws in the tcp/ip protocol and at the same time are sending lots of data (like syn flooding), and will not have any consequences for the rest of us.
What about longer TCP streams, such as large up- and downloads?
As far as spoofing is concerned, most DDoS attacks may originate from spoofed IP addresses, but the DoS packets themselves are sent from non-spoofed servers (you don't have to spoof a server that isn't yours anyway). For this, we don't really need traceback.
-- As a state gets corrupt, its laws multiply; the most corrupt states have the most numerous laws. (Tacitus, Annales 3:27)
I'm sick and tired of good intentions being used to defend bad plans.
Uh, sorry. No. The internet as we know it was built on a large number of assumptions, many of which are simply no longer true. The largest of these assumptions is that there was no reason for built-in security, since the only people using the network were academic types -- and it was true that the various institutions could generally trust each other. But as the network became more open to the public at large, the old assumptions begin to break down. This plan is attempt to fix a single problem in an inherently bad design. Get over it.
Why people use WinNT as a server platform is beyond me. Something like 65% of web-site defacements listed at Attrition.org are WinNT based. That's insane. Linux is something like 20%. I was very surprised at HOW MANY sites are hacked. The internet's infrastructure needs to be improved, sure. But how about securing your system properly?! Argus has even announced a Linux port for their products; it's the only TOS that I've seen even mention Linux. And, maybe someone should push the Linux Kernel developers to finish implementing the Capabilities and ACL stuff that at least partially exists in the kernel (or in patches); this would allow application coders to write non-suid programs that would still have some of the root capabilities (just the ones they need).
I'm not saying that the sys admins are to blame. These decisions are generally not simple technical ones. However, everyone needs to be educated about the products that are available to protect themselves and others (in the case of DDoS's). If you're a sys admin, educate yourself and pass it on to your boss. They may not get it, but you should at least try.
Just my $0.02.
$ flames >/dev/null 2>&1
--
---------The early bird gets the worm, but the second mouse gets the cheese.
One is for generating statistics on who is contacting your site and from where. Just collect all the itrace packets that hit your network, and you could get a statistical map of which routers on the Internet send the most data to you. With a little knowledge of the location of these routers, you could generate a statistical average of the logical and/or geographical distribution of your readers/clients/customers/whatever.
This might be handy if you're a big site and you are considering putting up another mirror, or switching to a new ISP to better serve your customers. You could base your mirror location and/or your ISP move on real statistics rather than educated guesses. And best of all you don't have to collect any personal information about your users to do it.
Spoofed packets aren't always bad
by
jonathanclark
·
· Score: 2
Actually spoofed packets are useful in not-so-evil manners. I'm working on an anonymous file transfer protocol that depends on the ability to hide the return address. That is you, can send a file to someone without them knowing where it came from or trace it back to you. There are two levels of anonymity :
1. You send packets directly to the target host using UDP with a spoofed return IP address of 0.0.0.0. This method can work to receive packets from behind a firewall with a SOCKS 5 server. Since this doesn't use ICMP it's not effected by itrace.
2. You send packets inside of an ICMP message to a random host on the net. The ICMP return address contains your target host. This is the most secure method, but you could end up pissing off some unwilling participants. You can reduce this by spreading the packets across a lot of host.
The astute reader will note that both methods use lossy transmission (UDP and ICMP). So a communication channel must be setup where the target can report lost/missing packets. Since this protocol is specific to file transfer, lost packets don't need to be reported individually and so they are clumped together and passed around a chain of computers (ala a gnutella-like network). The sender eventually gets the updates and resends the remaining packets.
Itrace could possibly effect method #2 making it more easy to trace a packet back to the source. But it really cannot isolate the sender to more than a subnet unless it is installed everywhere. There is too much equipment out there now that will never be replace to make this a reality.
Great, another reactionary response to a well reasoned post. Most of us don't want to take your precious guns. What most of us want is some form of regulation that governs the ownership of all types of firearms. We want these regulations to help keep guns OUT of the hands of criminals. If all manufacturers and gun dealers were held accountable for all of the guns that they sell and manufacture, you can be sure that the guns in the hands of criminals will be greatly reduced.
If I use a car, knife, spoon to commit a crime should the manufacturers of these objects be held accountable because I am a criminal?
Many legal gun owners feel that regulation is to keep THEM in check, and have some paranoid notion that the government will someday roam the country, dumping everyone's guns in a big dumpster. Wrong. The logistics of such a suggestion will never be possible.
I am sure the residents of Australia thought the same thing until they had to watch there guns being destroyed by the thousands. Legal gun owners think the regulations are there to keep them in check because they are the ones that will follow the law. Which makes them the only ones that will be affected.
In any major city in the US, criminals buy guns from two sources. Disreputable-but-licensed gun dealers, and pawn shops. There is no Miami Vice-style gun dealer pulling up in the 'hood in a Ferrari to show off the latest rocket launcher. In nearly every case, it is Billy the Hoodrat who buys a trashbag full of $50 guns from some disreputable licensed dealer.
It is clear that regulation, licensure, and recording of all sales through a licensed dealer, will create a trail from a gun's manufacture to disposal, which can only serve to keep the guns out of the hands of criminals, while hardly impacting the right to own a gun.
I don't know first hand how most criminals get the guns they use, I would however guess it was by breaking one of the many laws that are already in effect. I have seen first hand that criminals will break into a house and steal only a firearm. It always amazes me that people think passing a new law will magically make criminals behave and stop breaking the laws. We call them criminals for a reason. We don't we enforce the laws that already exist. Let some harmless pot-heads out of jail to make room for real criminals.
This has no privacy implications. All useful IP packets have valid source addresses, so you know where they came from. With an invalid source IP address, you'll never get an answer, and can't open a TCP connection. All this affects is packets with forged IP addresses.
It's a sampling system. The recommended sample is 1 in 20000 packets. Until someone has sent you substantially more forged packets than that, you won't be able to trace them. So it's useful only against massive denial-of-service attacks.
It won't help much in finding systems on LANs. It will identify the LAN's router to the outside world, but unless the LAN's router fully supports Itrace with reverse Ethernet lookup, it won't identify the source machine.
Effectively, this means you'll have a box or router feature that reports the sources of major IP source spoofs. It doesn't provide any means of dealing with the problem. It tells you whose hacked system needs to be fixed, and where their upstream router is so they can be disconnected.
It's not automatic. There's nothing in this that actually stops an attack.
So it's a useful first step, and the one that has to be widely deployed before anything else can be done. Good work by the IETF.
This may allow detection of most kiddies with their DDoS and fries kit downloaded from McHacker, but you can easily avoid detection by using onion routing
See www.onion-router.net for information, although they have just taken their net offline as they have concluded their experiment.
To quote:
The Onion Routing research project is building an Internet-based system that strongly resists traffic analysis, eavesdropping, and other attacks both by outsiders (e.g. Internet routers) and insiders (Onion Routers themselves). It prevents the transport medium from knowing who is communicating with whom -- the network knows only that communication is taking place. In addition, the content of the communication is hidden from eavesdroppers up to the point where the traffic leaves the OR network.
Before going off and critising this, take note of these two points:
1 in 20,000 packets will be affected. So its not as if every packet you sent is affected.
All it does is send the what the router knows of the packet to the destination.
In other words, if you are surfing slashdot, every once and awhile, slashdot will get a itrace packet saying that 1.2.3.4:1234 destined for slashdot.org:80 was routed through me.
However, if you are surfing slashdot, then slashdot ALREADY knows your ip address. This only affects you if you use spoofing to send packets out. And remember, spoofing is (basicaly) connectionless. You can't connect to a website and get a page (or ever request a page) with a spoofed IP address. You can only send out individual packets that have a spoofed from address.
So, how does this affect my privacy? Well, if I do lots of DOS attacks, or spoofed portscans, then occasionaly the site I'm attacking will find out some of the routers I'm going through. If I'm a regular joe blogs, surf porn sites on company time, and generally do things I don't want the public to know about, then some of the places I visit will find out occasionaly which router I go through. However they can get this information really easily via a standard traceroute.
So in the end, it has VERY LITTLE affect on privacy, except of those who are trying to spoof their return address (And spoofing your return address is 90% of the time used only in attacks. (Occasionally it could have a legitimant purpose, but if it did, then you shouldn't care if the other site figures out who you are)).
As far as I can see, its generally a good thing(tm), though they'd better get the authentication right, else it will become useless.
Oh, thats one thing, if the authentication isn't good enough, then you'll be able to fool some sites into thinking you are routing through a different router. However this only brings us back to square one, no futher.
---
--
I use to have a funny sig, but slash cut it off, and I forgot what the punchline was.
Had you read the story that was linked to in the article, you would have read that itrace messages would only be sent for 1 out of 20,000 ICMP packets. Because of the size limitation of ICMP packet, they are only useful for diagnosing network problems, or as we have seen, for flooding a site to a point that it is unusable, or as we call them, Denial of Service attacks. Besides, unless you're IP spoofing, the administrator of the target network can already figure out where you're pinging or tracerouting from. The same is true for about any type of IP connection you make. Itrace really has no affect on privacy. It does, however, have an effect on people IP spoofing and lauching DoS attacks. Besides, I'm not entirly sure that I'm not responding to a troll.:)
There used to be a time when it was normal that netizens could be traced back and identified. The advent of dialup accounts and free providers have put an end to this, and I've always felt that that was a Bad Thing for the Internet. You now have all sorts of anonymous cowards who conduct mischief and are a nuisance.
I'd say that every initiative to restore a bit of the old traceability paradigm is an initiative to be welcomed. If you can't stand that, you have the option of not using our (the other netizen's) infrastructure. In that case I wish you good riddance.
Re:Alternative measures
by
Jon+Erikson
·
· Score: 1
Maybe it's time to restrict who has access to the roads.
Isn't that what driving licenses are for? I'm suggesting a similar thing for the net. You wouldn't let your 5 year old son drive a car, why let him online? Both are dangerous in their own ways.
You further make the insiduous claim that average AOL users are script kiddies; this is a cheap, elitist attack that doesn't in the least help your argument: AOL users aren't anonymous.
What have AOLers ever added to the net? Even if they're not all hackers and script-kiddies, they're certainly a drain on bandwidth. Remember how the net was ten years ago?
We don't want our kids to read about bomb-making until they reach the age of 18 and are magically wise.
Well frankly, no. Kids can't be trusted to make the right decisions until they grow up. Why do you think we have age limits on things?
the nations of the world would unite behind a plan to make the Internet available only to the master race.
I think you're overreacting - all I'm after is a bit of politeness and less script-kiddies, not for some fascist dictatorship in control of the net.
Seriously, why are you so intent on kicking off users?
If you were in a restaurant and someone starting kicking tables over, they'd get thrown out. Same principle. Besides, prevention is always better than a cure, and it is prevention that I'm in favour of.
1) itrace packets are only sent approx 1/20000 packets through a router, greatly reducing any traffic analysis benifits from monitoring itrace packets
2) the packets go to the destination. So only your destination and points between can read the itrace packets, but they can read your packet anyways, so no biggie.
Ergo, the only time an itrace packet will tell anyone anything more then they would know by looking at the IP header of your TCP packets is in the limited case where the IP address on the packet is forged.
Now why, you might ask, would you want to forge a IP address? Good question. Remember if your IP address is wrong, no return traffic will reach you. The 2 cases I can think of are:
1) doing a TCP hijack attack, and due to the probable low volumes (telnet doesn't generate THAT many packets) in the hijack stream the chances of getting caught by an itrace packet is pretty slim.
2) performing a DOS attack, which is pretty much totally evil.
3) doing a portscan with a decoy. You might get your fingers slapped here. Lifes a beach.
So, as far as playing on gnutella, or posting as AC on slashdot is concerned, you don't loose anything to itrace in terms of atonmymity that you hadn't already lost by having your IP address on a packet.
I hope that clears things up somewhat and avoids a flame or two.
---- Remove the rocks from my head to send email
-- On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
...so could someone explain how this works? Specifically, what about the "last mile"? I think I understand that "once in a while" a router will send some extra info with a packet saying who IT got the packet from. But if I'm spoofing, won't the FIRST router be wrong to begin with? Or does my connection to the first router have to be legitimate in order to insert fake packets?
In any case, this doesn't really solve the problem. The black hats can still crack large numbers of machines (as long as, if they are spoofing to do so, they do it in under 20,000 packets) each of which can launch a non-spoofed DoS attack. No sysadmin is going to trace each of these DoS'ers back individually. And it can't be automated, remember, because the large set of machines is not spoofing. -- Give us our karma back! Punish Karma Whores through meta-mod!
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
The Technology exists already
by
Tinfoil
·
· Score: 1
As TheZombie says, egress filtering can be used to stop spoofed IP's.. That's not tough. There is also a product called GaurdianNT (Yes, NT, though I am sure there are comparable products for other platforms) that will allow for an admin to alot a certain percentage of bandwidth to each computer hooked up to a network. That combined with filtering and education for the admin (cuz come on, would any of your networks been broken into and had these "zombies" installed on your machines?) would solve the problem.
The problem is not the architecture of the internet, it is due in large part to ignorance. A lack of knowledge on your own networks security and a lack of knowledge about the tools available to you.
Privacy is a right, it's also a bit of a luxury in certain cicumstances, but it also causes a lot of hassle as it empowers vandals.
But what it comes down to is that there is no equivalent of putting aitbags in cars for the internet at the moment and we nevertheless want to stop the DoS attacks, therefore we go at the problem with the only lever we have available to us - removal of anonymity.
I wonder if removal of anonymity is the same as removal of privacy. We have no right to anonymity as far as I know, and only by arguing that the two are the same can we justify keeping the internet untraceable. Hmm - what do you think?
Recently, most DOS attacks have been difficult to stop due to a flow in the stable cisco IOS versions, which allowed non-intial fragments , even you only had one "deny all" access list. Cisco has been working on this and a fix should be widely spread soon. However, I am not sure how those ltrace ICMPs will tackle partial IP packet DOS, which mostly result in CRC errors on the attacked host. Resolving the spoofed attacks problem is certainly a good step forward, though. As of now, the only way to do it is trace the packets from one router to the other until the source of the traffic is reached. Too often, this source, is itself a victim (hacked host). Besides, going from one router to the other requires coordination between ISPs, which... has not been successful so far. DH.
I'm sick and tired of good intentions being used to defend bad plans. People have gotten away with taking our guns (protected by the Third Amendment) and our freedom of speech to talk about drugs (protected by the First Amendment). We can't let take them our right to privacy too.
The majority of net users do not conduct DDoS attacks. Therefore, there is no need for an anti-DoS ICMP.
If you understood the technology here, you would realize that UNLESS YOU'RE USING IP SPOOFING, ITRACE WILL NOT AFFECT YOU. All that ITRACE does is make IP SPOOFING much more difficult. The majority of net users do not use IP spoofing. And the majority of net users who do use IP spoofing ARE using it to do illegal things.
The ability to know the IP of the person sending you packets is NOT a privacy violation. There are already ways to send information anonymously; what possibly use could IP spoofing have?
Uh, if you have that kind of power..
by
defile
·
· Score: 1
If you're in a position to dictate to the world what protocol it will now adopt in newer versions of their router software, why attack it with ICMP Traceback? Why not just make it a mandatory router policy to drop packets that couldn't possibly be outgoing packets if they came over a given interface?
For example, some ISPs (like us) have border routers that drop packets that have a source address different from the netblock that ARIN assigned us.
Yes, the problem here is that it's difficult to get 100% of the world to do this. How exactly would ICMP traceback have any better luck? It does less to solve the problem and still faces the same penetration issue.
If you made it impossible to spoof packets, attacks like smurf would become impossible and other attacks (such as SYN floods) would become much more difficult.
*shrug*
It sounds useful, but I can think of better ways to stop DoS attacks.
First Echelon, then Carnivore, and now yet another attempt to track the actions of average citizens on the Internet.
Wait, I thought they said "perpetrators of DDoS attacks".
Sure, stopping DDoS attacks sounds good in theory, but so does stopping "child molesters" or "foreign spies."
Uh.... Those sound good in practice, too, I think. Do you have any reasons to the contrary?
Like we need more information about ourselves being handed out online.
Like anyone even cares about what you do online. I'm constantly amazed by the number of Slashdot readers that have delusions of government agencies tracking their every move online, reading their every email, and so on. "They" just plain don't care about most of you. Get it? It may be comforting to have these delusions that you are somehow significant, but I'm pretty sure that nobody here is important enough for "them" to care about.
And then there's the everpresent question of just who "they" are.
I'm sick and tired of good intentions being used to defend bad plans.
Well, that's wonderful, but I don't see any good plans coming from you. If you don't like the plan, come up with a better one.
People have gotten away with taking our guns (protected by the Third Amendment)
Second.
We can't let take them our right to privacy too.
Funny, I don't recall seeing an amendment guaranteeing you a "right to privacy."
The majority of net users do not conduct DDoS attacks. Therefore, there is no need for an anti-DoS ICMP.
The majority of citizens do not commit murders. Therefore there is no need for a police homicide unit.
Someone please explain this to me. This is intended to hamper DDOS attacks, right? But in a wide-scale DDOS attack the attacker has compromised tens or hundreds of computers in different subnets with totally different locations. So if he sets these boxes to start DOSing each at a certain time one after another each using a dynamically spoofed IP, what good is it to know where the attack is coming from if you're having hundreds of attacks from hundreds of subnets coming at you in a short interval of time? How are you going to shut them all down instantly to stop the attack?
Karma Police, arrest this man, he talks in maths He buzzes like a fridge, he's like a detuned radio
--
[an error occurred while processing this directive]
End of one problem, start of another and another..
by
ADRA
·
· Score: 2
I would like to shed another point that could possibly make this itrace ICMP message quite useless, or destructive. Note, I am not an expert on the workings of the ICMP itrace packet. I just know enough of IP and the workings of routing / firewalls / ICMP to see there may be flaws in IETF's planning.
1. Possibility for using itrace messages for malicious attacks
Because the ICMP packet is just another IPv4 packet, there is just as likely a risk that the originator can use this packet type as a way to DOS a system, but flooding the system with itrace packets, like smurf(http://www.cert.org/advisories/CA-98.01.smur f.html), etc..
By opening a new, valid form of ICMP, firewalls that are used to block all non-productive ICMP traffic will have to be changed to block iTrace packets, hence eliminating its use.
2. The ways to stop itrace from working
The itrace packet will be susceptible to the same ill's of source spoofing that any other packet could. If one wishes to stop an itrace packet from finding the source that sent to, the originator could send a slew of itrace packets from varying sources, making any response useless.
3. The effects to routers and IP Stacks
In order to implement itrace effectively, all IP Stacks and Router software in the world may have to be changed to allow the tracing of these new message types. Firewalls shouldn't have a problem letting them through as long as the ICMP 'type' field can be specified in a filter. If itrace is not implemented directly into the stack, some stacks may throw the packet out as being 'mal-formed', which is another form of network attack.
4. Firewalls, NAT's, and the risks that itrace poses
The point of a firewalled system is so that hosts behind the wall will become protected, or even anonymous to the world at large. There are two decisions that network engineers have when the itrace packet is implemented.
They can let the packets enter the firewall, and run free. This can lead to DOS and smurf like attacks inside the network, and could cause a good deal of havoc. Also, letting itrace packets in and out of a firewall could seriously jeopardize the security of the private network, by using the itrace responses to reconstruct the layout of the internal network.
The other choice was to block any itrace packets from entering a firewalled system. This is what admins will likely do for security reasons. When a itrace request to find a host enters the firewall, the best that would happen is that the firewall would bounce a negative response saying that the firewall wouldn't let the ICMP message in. The worst is that the itrace message just gets discarded, in which case, the source of the itrace message has no idea why the trace failed.
5. Changes to IP Stacks and server/router loads
The problems presented had to do with a system that has been accepted and implemented. This problem has to do with the feasibility of such a system.
Just imagine a root router. It is pumping out hundreds of thousands of packets a minute. All of a sudden, a spoofed packet enters the router, and the leaves to its next hop, which is a host that the packet is DOS'ing. The router has to know which 'home' that the spoofed packet came from. That means that the router will have to keep track of every packet that comes and goes from the machine, in order to properly route the itrace packet to its next hop.
Conclusion
So, now I hope you all can see the ill's that the itrace packet type will lead to in the scheme of things. My best suggestion would be to wait until IPv6, when all routers, firewalls, and IP Stacks will be rewritten. At that time, architects could find reasonable ways around such a problem.
What we need, therefore, is a sensible way of preventing the 15-year-olds with a lack of sense from causing damage.
Hence, A solution that makes the Internet itself less vulnerable to this sort of attack is to be preferred to anything that leaves the overall vulnerability of the Net at its present level and only aims at revealing the intruder.
Anything else would be like not installing airbags in cars, but instead threatening drivers that cause accidents with more severe punishment. It may serve the cause to some extent, but the alternative is definitely preferable
-- As a state gets corrupt, its laws multiply; the most corrupt states have the most numerous laws. (Tacitus, Annales 3:27)
This is so far from being a perfect solution that I'm bound to miss something out of this reply, but here goes.
Exactly how do you restrict access to the internet without binding an IP address to a person even more closely, thus losing any chance we had at anonymity?
If you want a private network, why don't you set up an isolated MAN? You will be free to enforce whatever screening process you desire - but leave the internet out of this.
I don't think you're trolling - but you don't seem to understand that personal morality is personal.
Hamish
-- "Wise men talk because they have something to say; fools, because they have to say something" - Plato
Re:egress filtering - Totally right
by
Ice+Tiger
·
· Score: 3
This would stop address spoofing right now, all ISP's should implement this. So what are the chances of getting ISP's to roll out itrace if they don't even bother to try and fix the problem in the first place.
I know I won't be popular here on/. but maybe a few lawsuits against ISP's not implementing egress filtering might change the current situation. Maybe implicating them due to negligence or some such.
-- "Because we are not employing at entry level, offshoring will kill our industry stone dead."
Most famous [D]DOS attacks were against Webservers
by
marat
·
· Score: 1
Never heard about DOS attack against LDAP server:-))). Most FTP servers have limited number of users and DOSing them is no problem but nobody cares. HTTP is vulnerable because of it's public nature.
Most big web-servers are dedicated.
You can not prevent public services from being abused by legal requests as you can not prevent me from posting you 30Kg of potatoes. DOS attacks usually use ill-formed requests which we can get rid of.
There're only a few web-server programs available (mostly apache:-)) and modifying them is no problem.
Undating web servers is much more easy than changing all routing because web servers are being updated frequently anyway (we can use ipv6 transition for routing however).
Changes take effect immediately, not in 18 months.
Every secretary using MSWord wastes enough resources
Your post is such nonsense that I hardly know where to begin.
So what is to be done? Maybe it's time to restrict who has access to the net. Since services like AOL and CompuServe made it easy for Joe Sixpack and his family to get online we've seen an exponential growth in website defacings, DDoS's and general abusive behaviour. If people were not allowed to access the net unless they fit certain criteria we could reclaim it from the scipt-kiddies.
<sarcasm>So what is to be done? Maybe it's time to restrict who has access to the roads. Since companies like Ford made it easy for Joe Sixpack and his family to get online we've seen an exponential growth in stoplight-running, wrecks and general abusive behaviour. If people were not allowed to access the roads unless they fit certain criteria we could reclaim it from the infidels.</sarcasm>
You're confusing causation and correlation. It's also happened since (a) script kiddie tools became widely available, (b) users with significant home bandwidth have become common, (c) non-web media have given attention to, and to an extent glorified, 31337 behavior, and (d) 17" monitors became popular. You further make the insiduous claim that average AOL users are script kiddies; this is a cheap, elitist attack that doesn't in the least help your argument: AOL users aren't anonymous.
What criteria would be appropriate is the next question. Well firstly we need some kind of age limit - 16 or 18 would seem appropriate since there is a lot of offenisve material out there that we don't want our kids seeing. It would also restrict the net to people mature enough to take responsiblity for their own actions, which can only be a good thing.
<sarcasm>Right! What we also need to do is restrict libraries to adults 18 years of age or older. We don't want our kids to read about bomb-making until they reach the age of 18 and are magically wise. There's so much offensive material in the library, after all.</sarcasm>
Secondly there should be some kind of examination process to weed out those people who aren't desirable. This should allow us to ensure that people know to be polite and would also allow us to teach people things like "don't open every attachment you receive in the mail" which would make everybody's life better.
<sarcasm>Another great idea! Let's create some powerful organization to kick impolite people (by their judgment) off thenet. Also this organization, which everyone would gladly accept, would be empowered to remove inferior users. All the nations of the world would unite behind a plan to make the Internet available only to the master race.</sarcasm>
Seriously, why are you so intent on kicking off users? It's childish and vindictive behavior. It's neither practical, nor IMHO desirable in a free society.
--
--
Gates' Law: Every 18 months, the speed of software halves.
It only takes one router between the attacking host, and the victim host to have the right filter to stop the spoofed packets.
with itrace, if only one router in between is logging packets, all you will know is that the packet came through that router, so you are only slightly closer to the original source, especially if that router has several networks connected to it. With egress, that same router will have stopped the spoofed packets.
I'm sick and tired of good intentions being used to defend bad plans. People have gotten away with taking our guns (protected by the Third Amendment) and our freedom of speech to talk about drugs (protected by the First Amendment). We can't let take them our right to privacy too.
Another constitutional problem. Okay, here we go...
First of all, the amendment related to guns is the second. Next, that amendment does not give you as an individual the right to own or carry a gun. It gives the states power to arm their militia. By law, this means the national guard. No section of the constitution or the US code allows you to form your own militia and claim the right to carry a gun. This view has been consistantly upheld by the Supreme Court, most directly in US v. Miller, 307 US 174. For a more in-depth analysis, see The Politics of Gun Control, Robert J. Spitzer.
The free speech issue is trickier, and I tend to agree with you that it's an unconstitutional prior restraint on free speech. The SC has held that unconstitutional for most of the century, and the current court is on a defend-free-speech-and-reduce-the-power-of-Congres s roll, and would likely strike that law down if a challenge reaches them. I'm sure the ACLU is pursuing this.
Now, the much quoted "right" to privacy is a tough one. First, there is no right, as there is a right to free speech. Privacy is not in the bill of rights, nor protected elsewhere. However, in deciding Roe v. Wade 410 U.S. 113, the Court said there was a "zone of privacy" created by the Third, Fourth, and Fifth Amendments. This right extends only personal rights that can be deemed "fundamental" or "implicit in the concept of ordered liberty," Palko v. Connecticut, 302 U.S. 319 , 325 (1937), are included in this guarantee of personal privacy (quoted from the Roe v. Wade decision). This means your surfing with the illusion of anonymity is not protected, and launching a DDoS attack most certainly is not.
The constitution is the highest law of the land. Try and understand it before you spout off about it./rant
the itrace solution requires every tech which ever had configured a router to upgrade that router anyway,
Please point out where you got that idea !
The itrace solution it a tool to help tracking down the source of the attacks, and as such, only requires a few (~30%), routers along the route to have it installed. Heck, it's even enough that *one* router has it installed, as long as it's the *right one*
. The fact is that the irtace solution does not require everybody to install it to be helpful, and that's where it differs lightyears from currently proposed solutions (i.e. filtering at the originating site)
-- Why pay for drugs when you can get Linux for free ?
> Heck, it's even enough that *one* router has it installed, as long as it's the *right one*
Guess what? It won't be the right one.
And even if you managed to get the original address, chances are you'll just find a cracked box somewhere. That won't be worth any dollar you'll invest to implement the protocol in any router.
-- Ni!
Alternative measures = Education!
by
pjmarron
·
· Score: 1
It's amazing how much crap, stereotypes and prejudices are hidden in a comment like the one you just wrote...
So what is to be done? Maybe it's time to restrict who has access to the net.
Right, and who is going to be responsible for determining who is allowed to stay and who should go? Are you going to be that person? Why should you be allowed to access the net if it really is just a place for offensive material?
Well firstly we need some kind of age limit - 16 or 18 would seem appropriate since there is a lot of offenisve material out there that we don't want our kids seeing. It would also restrict the net to people mature enough to take responsiblity for their own actions, which can only be a good thing.
Wonderful! First of all, I don't see how anybody can enforce that, and even if you could, nobody should dictate whether or not my 10 year old son is allowed to surf the internet. That is for me and my wife to decide, and should be based on the level of maturity, respect and tolerance that a particular person has, not merely on age.
Secondly there should be some kind of examination process to weed out those people who aren't desirable.
The only "examination" that would work is to educate the people using the Internet properly. And by properly I mean, that they learn the values of respect and tolerance for all those other cultures, groups of people, ethnicities, etc. that are able to coexist in the Internet thanks to precisely the opposite of what you are advocating: NO big grother imposing his/her criteria upon them.
The "perfect solution" that you talk about is pretty clear. Live and let live. Be tolerant and open as to what you can find and learn from other people, and don't think that you have even a glipmse of the truth, because the truth as such, does not exist.
This itrace crap will be used for legitimate traceroute type stuff and I imagine for network mapping also. Anyone have any ideas on how this can be used in a sysadmin's network toolkit (besides finding DoS attacks)?
Isn't that what driving licenses are for? I'm suggesting a similar thing for the net. You wouldn't let your 5 year old son drive a car, why let him online? Both are dangerous in their own ways.
Perhaps a better analogy would be a library or a sidewalk. I wouldn't let a 5 year old son read any book or cross the street alone, but it's not all or nothing.
What have AOLers ever added to the net? Even if they're not all hackers and script-kiddies, they're certainly a drain on bandwidth. Remember how the net was ten years ago?
Yeah, I remember. It was small, and hard to find information unless it related to Unix or particle physics. AOL users have added a tremendous amount of content. While it's possible that the content contributed by the average AOL user is not as high as the average non-AOL user, the net ten years ago isn't something I'd prefer to return to.
If you were in a restaurant and someone starting kicking tables over, they'd get thrown out. Same principle. Besides, prevention is always better than a cure, and it is prevention that I'm in favour of.
Script kiddies do get kicked off. However, the Internet is not a restaurant. A restaurant has a single owner or manager on location at all times. The net is more like a public square. If someone's committing a crime, they'll be removed, but if someone isn't contributing anything to the public discussion, no one advocates that they be forced out. (Nor must you be 18 to be seated at a restaurant, or participate in the public square.)
--
--
Gates' Law: Every 18 months, the speed of software halves.
Re:Goodbye anonymity - not exactly
by
Tough+Love
·
· Score: 1
Not exactly. Note that the information is recorded statistically in the headers. If you only send a few packets like a normal human being you won't be particularly traceable. On the other hand, a massive download is going to be quite traceable and therein lies and important question from the point of view of anonymity.
Now, particular this development is as inevitable as people locking their doors and putting in security cameras in a big city. There is *no way in hell* that we will be able to prevent it. I'm of two minds about it. On the one hand, I am a big supporter of the principle that the only way to gaurantee freedom of speech on the net is to have technologically-enforced anonymity. On the other hand, I think script-kiddies are scum of the earth. On the third hand, I think script kiddies, like roaches, at least perform the useful function of showing us where the weak spots in the net are. --
-- When all you have is a hammer, every problem starts to look like a thumb.
Correct me if I'm wrong, but from the article, we're looking at a best case of two years before we see this. They say that they're only presenting in January 2001, and:
In the best-case scenario, the itrace rollout will take 18 months.
In that time, shouldn't we be approaching IPV6 time anyway, and doesn't IPV6 already have mechanism in place to prevent spoofing of address headers, making the trace a lot easier using traceroute? Maybe I'm being thick, but this looks redundant before it even gets going.
1. True.. 2. Well, you can still _trace_ across any router, the routers just will not be sending the itrace packets, so you will not be able to get any more information about the traceback from this router. Other routers before and after that router which have itrace capability will, however, still report itrace packets. 3. Why would you care about an "odd spoofed packet"? The whole issue here is DDOS attacks, which by their nature have hundreds of thousands of packets, more than enough to get a good traceback. Plus, the more severe and large the DDOS attack is, and therefore the more prominent it is, the easier it will be to trace back.
Read the article.
//Phizzy
-- "Most European technology just isn't worth our stealing," -- Former CIA chief James Woolsey, referring to Echelon
It wont be a burial, tho. They're just gonna leave me there where I land..There'll be no grave to dance on. You're welcome to ride the water slide, tho. I figure the videotape sales will cover the cost of building the slide and everything else.
I don't plan on charging admission, tho. I believe in open-source funerals. You're welcome to attend for free, but show up early -- parking's a bitch here in Tucson.:)
Bowie J. Poag
-- Bowie J. Poag
The Problem is upstream ISP's
by
MeNeXT
·
· Score: 1
Hmmmm..... Let's see.... I'm an ISP I install this on my router. A DoS attack begins from some of my clients systems. (Lets say these clients don't care about security.)
I start getting calls from an ISP about DoS going through my router.
Options available to me:
1. Shutdown the clients access. 2. Uninstall features on router. 3. Spend endless effort to secure my clients systems. 4. User current technology and stop relaying of spoofed IP's which do not belong on my network. Advise client his system was hacked.
Option 1. Will cost me a great deal of money. The cleint will go to the competition. Problem not resolved. DoS attack continues Option 2. Costs me nothing. Saves headaches due to downstream ISP's problems. (since my router is not the one reporting the problem). Option 3. Not!!!! Who works for free? It will always lead to option 1. Option 4. If I am knowledgeable enough I would have installed this software/feature/configuration a long, long, LONG, time ago.
We have the solution already. We need a means to enforce it. I guess a lawsuite here and there is what we require to force all ISP's to implement option 4.
If the upstream ISP's do not cooperate, DoS attacks are here to stay. Sad fact.
-- DRM? No thanks, I'll just get it somewhere else...
As far as I can see, its generally a good thing(tm), though they'd better get the authentication right, else it will become useless.
Some kind of authentication can be achieved using packets that are transmitted with a TTL of 255. If you get a packet with a TTL of 254 there is no way it could have been sent from a host further than one hop. Lots of routers need to be upgraded for itrace, but ALL routers decrease the Time-To-Live field. I wonder how this could be effectively extended to longer distances.
----
--
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Isn't that what driving licenses are for? I'm suggesting a similar thing for the net. You wouldn't let your 5 year old son drive a car, why let him online? Both are dangerous in their own ways.
I don't think that age is necessarily the correct criterion here; maybe some sort of exam instead. I know plenty of 18+ year old people at work who can't even handle not clicking on an email that's a virus, whereas I'm sure there are plenty of 10 year olds who have figured that out. A 5-year-old behind the wheel is a danger to others, but a 5-year-old loose on the Net can really only hurt themselves. And with proper parental guidance, that danger can be minimized. As far as stuff that children shouldn't know about, I'll be making that decision for my children, thanks very much.
Unless you live in Texas, whereby, I believe you have the right to bare arms and create your own private/state miltia. Like it or not, I think Texas is the only state where that's expressly granted.
Re:Alternative measures
by
electricmonk
·
· Score: 1
Don't worry, this guy is just a troll. Remember, NPO stands for Natalie Portman Obsessives.
Don't Feed The Trolls.
-- Friends don't let friends use multiple inheritance.
Restricting people like Joe Sixpack unless they meet some kind of strict safe-driving criteria wouldn't be too bad of an idea to me... perhaps it'd keep the morons off the road a bit? well probably not... but anyway...
What's the difference between this and a digital telephone exchange that knows where you're calling from. When people got bogus or malicious calls, companies created a system whereby those calls could be traced within seconds. That's a good thing. Your right to privacy over the telephone is gone already, and nobody's crying about that. What's the difference between that and this particular point-to-point connection system? Surely it's the privacy of the content that matters, and not your ability to send stuff to people without their knowing who it is that sent it?
Ok - so you want to browse anonymously.. Well firstly, why? I don't see the point. Secondly, nothing's stopping you - do the same as you would if you wanted to make an anonymous telephone call - use a phone box, or a public internet access point.
I'm stirring a little, but I get tired of people pouring their bleeding hearts over rights in the internet arena that they lost in other arenas years ago. They're not complaining about the postmark on their snail mail, or the telco's ability to see their phone numbers, or the CCTV in every store they "browse" in, or the bank recording every time they use their credit or debit cards, along with the name of the shop, time, place and everything else. You don't want to be on the store's CCTV tapes, don't go in.
Another attack on anonymity from the very people responsible for the architecture of the net. Is this what the net is coming to? Unfortunately, I think it is - just look at the recent attack on kuro5hin for an example of the childish, vindictive behaviour some people seem to delight in.
Anonymity is a desirable feature online, but it is one that is ripe for abuse. Whilst it allows people to use the net without fear of some "Big Brother" organisation storing their every click it also allows 15 year-old kids to DDoS websites with impunity. Getting rid of anonymity is one solution, but it's one that will do more harm than good.
So what is to be done? Maybe it's time to restrict who has access to the net. Since services like AOL and CompuServe made it easy for Joe Sixpack and his family to get online we've seen an exponential growth in website defacings, DDoS's and general abusive behaviour. If people were not allowed to access the net unless they fit certain criteria we could reclaim it from the scipt-kiddies.
What criteria would be appropriate is the next question. Well firstly we need some kind of age limit - 16 or 18 would seem appropriate since there is a lot of offenisve material out there that we don't want our kids seeing. It would also restrict the net to people mature enough to take responsiblity for their own actions, which can only be a good thing.
Secondly there should be some kind of examination process to weed out those people who aren't desirable. This should allow us to ensure that people know to be polite and would also allow us to teach people things like "don't open every attachment you receive in the mail" which would make everybody's life better.
This isn't a perfect solution, but I doubt there is one. Still, we need to do something and this could be it.
Slashdot Mirror
Well, not every single packet, just every one out of 20,000. So in essence it only alows tracing of people sending thousands of packets. But then again, it's random so there is always that chance....
The I stands for Inverse. Do some research, thank you.
Bye!
How does this compare with the other ideas for traceback, one of which is at http://www.cs.washington.e du/homes/savage/traceback.html?
This paper has some good ideas...
Dr. Demento On The 'Net!
Put a hyphen in it: i-trace.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
I remember being very impressed as I read his paper. His key realization is that not every packet needs to be traced. With a large number of packets, only a tiny fraction need tracing information. Yet, the target of attacks (who is receiving 10^6 packets a day) can build an accurate picture. Brilliant.
"Genius may have its limitations, but stupidity is not thus handicapped." --Elbert Hubbard (1856-1915)
This will help prevent things similar to the attack on kuro5hin.
I thought the attack or kuro5hin involved flooding the submission queue. Since submissions are presumably made using TCP connections, they can't be made using spoofed IP addresses, so itrace would not be helpful.
Funny, I don't recall seeing an amendment guaranteeing you a "right to privacy."
I seem to remember something about unreasonable search (and something else which I can't spell and isn't relevant to this point). Isn't that essentially a right to privacy?
Hello? This is the IETF, not the government. Itrace would only be implemented by people setting it up on routers they own or operate. Some people seem to be under the impression that because the government cannot infringe on their free speech or privacy, their ISP must let them do whatever they want.
Actually, it IS possible to IP spoof with TCP, though it's rather difficult to do anything. You basically send a TCP SYN to some site spoofed as coming from an IP that's not going to respond (and result in the connection being refused). You then assume the server is going to send a SYN/ACK, so you wait a bit and then send an ACK and poof, the connection is established. The only thing you can do from here is send information TO the system, since any information the system tries to send you will be sent into oblivion (a non-existant system), but this could easily be used to buffer overflow a system and either crash it OR prepare it for being hacked. Which is why these itrace packets might be useful for TCP as well as UDP/ICMP/any other IP-based protocols.
-- Sig (120 chars) --
Your friendly neighborhood mIRC scripter.
* Q
P.S. If you don't get this note, let me know and I'll write you another.
Well obviously... But that's impossible to defend against. You need to find the source of the DoS, and then contact them, and get them to find out how the attacker is using their box.
I completely agree that there are legitimate uses for anonymity. But I can't think of any legitimate reason for spoofing your IP address.
Maybe I'm just dense, but it looks to me like the Itrace proposal in no way compromises anonymity, but instead defeats (or tries to defeat) IP spoofing. And I can not see any good reason why this should be considered a bad thing.
3. Well when she script kiddies use certain distributed flood tools, they initiate the DDos attack by sending a few spoofed packages to the *infected* machines. Wouldn't it be interesting to trace the actual culprit as well, instead of just the victims?
In a society that believes in nothing, fear becomes the only agenda ~ Bill Durodié
First of all, if you read the article, only one in 20,000 packets directed towards a target gets logged. This is hardly every packet. Second, and probably more importantly, the cost of this upgrade in equipment and deployment is immense and is certainly not imminent. It stands to reason that companies with a lot to lose from a drawn out DoS attack would seek to protect their investments by adopting a technology that protects themselves. This type of protection is necesary if the fear of this type of attack is ever to be alleviated though. Perhaps a better alternative to tracing all the way back to the source might be the end station notifying routers along the routes it knows that this attack is taking place, and the routers could simply refuse to forward the packets from this source for a specified period of time. Think of it as a sort of anti-DoS protection that secures anonymity. Once again, this would be very costly to implement and is going to find much resistance from anyone who just bought that shiny new Cisco router. Perhaps an IOS upgrade could be done to achieve this without requiring new routers...
Russian Russian Russian RussianDollSig DollSig DollSig DollSig
For all the peoplw who whine about 'privacy'.
There was never any guarantee on the internet htat people couldn't trace where packets were coming from. The fact that IPv4 allows forged source addresses... well.. there was simply no need to check them.
Why would people have a problem with this? It means if you send spoofed packets, the routers along the way can *still* figure out where the hell it came from (instead of having an admin at each hop do the trace manually).
We were going to write an RFC and become famous.
Then we found that it was already covered in an RFC, already in the IP protocol as the "Loose Source and Record Route."
Force router companies and ISPs to use that particular header option, and the whole accountability problem is solved while preserving anonymity.IP spoofing can ONLY SEND information. Its only use is ping flooding. It can't be used for HTTP (web sites), FTP, NNTP (newsgroups/USENET), SMTP or POP3 (email), or anything especially useful I can think of. All of the protocols listed above use TCP, which requires a two-way flow of information (TCP is based on *connections*, which require information to flow both ways -- they will NOT allow you to be anonymous, unless you have an anonymous proxy. Anonymous proxies are unaffected by ITRACE).
Well, the internet does NOT have that right now. There is NO way to receive information anonymously, on the internet. The only thing you can do is SEND it, and even then, the fact that you're sending it is ALREADY OBSERVABLE, it's just not being LOGGED.Thats okay. I forgive you.
Bowie J. Poag
Bowie J. Poag
ISPs can solve the spoofing problem RIGHT NOW with tools available today: egress filtering. The ISPs I run have egress filtering on ALL routers (border and internal) so not a single internal host can send a packet unless the source address is at least within the same subnet. Makes more sense to me than inventing another ICMP standard which requires all router manufacturers to update their software, and all ISPs to upgrade to the newer software.
I could not tell it better.
Thanks for bringing some light on that privacy whining.
Funny how the whining people just complain to their ISP when their ISPs are under attack, but they certainly dont want any new technology to solve that problem, in the name of "privacy".
Yeah, you need to give some of your privacy away if you wish to also get a way to trace back abuses to the source.
Every time I log on to my ISP I'm assigned a different IP address and I'm willing to bet that they don't keep a log of these.
:)
How much are you betting? I could make some easy money here
Email your friendly ISP and ask them what connection details they keep, and how long they keep them. Hint: Your username & the IP assigned to it, date, time, and connection time, are all part of it...
Syllable : It's an Operating System
Most decent dialup hardware is 100% digital anyway, so you have equipment sitting on ISDN lines capable of answering ISDN calls but serving up analog connectivity as well, so ALL calling numbers are available and can be logged or used in the fashion you mention. This level of logging is a common practice among most responsible ISP's.
I have never been bothered by a cop in NY. But then, I'm white and don't skateboard. :rolleyes:
Seriously, if you don't like it, move. Personally I'm GLAD that crime in NY has gone down so much. The racial profiling certainly needs to be toned down a GREAT deal (Diallo is a tragic example of this), but other than that I have no complaints about the NYPD.
Thank you.
4920616D206E6F7420656C6974652E
Remove the obvious to email me.
+++ATH0
Hey, you're welcome. I sorta got tired of having a 60+ Karma rating.. I've managed to drop it down to like 30 or so within the course of just a few days just for fun. :)
Bowie J. Poag
Bowie J. Poag
Rolling out itrace would be a lot easier than setting up egress filtering for many medium sized ISPs - as when you provide transit for other providers the access lists required can quickly grow very large - and can fluctuate regularly, so just keeping them maintained can be a tough job. Itrace would probably just mean typing "service itrace" on a cisco and then keeping half an eye on the logs.
:)
I work in the industry and it scares me when I talk to the techs at other companies and they have no idea how their network works - they've just cobbled it together from other people's suggestions without any real understanding of why they're doing things...
I wholeheartedly agree that egress filtering is needed to stamp out spoofing though - itrace only gives a method of tracing an attack back once it is underway - egress filtering would mean it would never start in the first place.
If only cisco would enable an optimised easy to configure egress filtering service
Name one, then abandon TCP and use it to do all the things you do on the internet
Learning at some schools is like drinking from a Firehose
It does raise the bar, so the next steps in the cat&mouse game include ever-more-diffuse distributed attacks to avoid more ever-more-watchful intrusion detection and traceback mechanisms. Is that a bad thing? No -- it is a good thing to make successull attacks more challenging.
A little more background reading:
Stefan Savage, Practical Network Support for IP Traceback a technique for tracing, but requires a little packet marking/mangling which makes it unlikely to be adopted. Clever, though, I'm sure some of the ideas will fold into itrace.
Robert Stone, CenterTrack: An IP Overlay Network for Tracking DoS Floods A tool for ISPs to build monitoring networks without making every component cooperate. Hmmm... I wonder if Carnivore has remote tunnels built in?
Other efforts in traceback involve perturbing the source of floods (e.g. by hop-by-hop reverse flooding) and watching the statistical properties of the flood at each step.
Read /. recently? After a k|dd|3 is in any simple r00tk|t can erase his actions from the logs. If the admin was a dork for letting him in in the first place & firing his DoS without noticing him (remember; I was the one warning them about it) I doubt he is capable to track the kiddie down. Any moron would notice the loss of bandwith IMHO.
-- Sig (120 chars) --
Your friendly neighborhood mIRC scripter.
* Q
P.S. If you don't get this note, let me know and I'll write you another.
I'm not talking about logs (and even so, the percentage of hax0rd boxes that are truly without logs or other evidence of intrusion are probably smaller than you think).
I'm talking about real-time monitoring of network traffic and system usage. If someone's able to track the source of the attack back to a hax0rd system, all the competant admin has to do is fire up a packet sniffer, protected netstat-type utility, whatever, and figure out where YOU are connecting to this compromised machine. Since this connection is unlikely to be spoofed, the source address is guaranteed, and he can proceed to contact *that* ISP. Repeat if necessary.
This seems to be an application of the technology described in that one paper on storing trace information in packets in a backwards-compatible way, that slashdot had a while back. I now can't find the article. Some guy described the whole process of how one could squeeze the information into unused parts of packets.
It's 10 PM. Do you know if you're un-American?
Actually spoofed packets are useful in not-so-evil manners.
Well, tough. I'm afraid current internet practices of simply disallowing fake source packets will quickly render your protocols unusable.
Note that there are already other ways to send stuff anonymously, for example using onion routers. The freedom program by zeroknowledge uses this technology, for example.
The majority of people don't commit murder. Therfore, there is no need for police.
Right on. I'm sick of all these politicians promising to "put more cops on the streets." This is the last thing we need. The only thing cops do is shoot innocent black people and bother skateboarders in the mall. They have more rights than normal citizens, and can (at least in New York) do pretty much as they please. And there are so fucking many of them.
Karma: Good (despite my invention of the Karma: sig)
For itrace to become useful, it has to be installed near DoS-ing hax0red boxes, and/or near the script kiddies.
Currently, these DoS-originating locations can stay anonymous if they can spoof their IP address, that is, if the connecting ISP didn't install proper filters to protect against spoofed addresses.
So before itrace can become effective, these already clueless ISPs must be persuaded to upgrade their hardware. These are the same ISPs that currently don't install IP spoofing filters, even though that has been recommended by various organisations for years now.
And given the fact that there are still some remote locations that are so outdated that they don't understand CIDR routing, I expect it to take much longer than 18 months for itrace to become effective against all spoofed IP addresses.
Maybe we should stimulate the major router vendors to give away OS upgrades that include itrace for free :)
So from the tone of this can I correctly infer that you believe the government should take guns out of the hands of law abiding individual citizens? Let's only let the criminals have the guns? Or are you one of the Rosie O'Donnel thinkalikes who believes nobody should be allowed to have guns except you or your body guard?
"We are not tolerant people. We prefer drastically effective solutions"
I thought IPv6 had something like this built in..or am I talking out my hat as per usual?
The majority of infamous DDoS's are against webservers, but don't rely upon the site running a http daemon. A large number of DoS attacks are attacking the host machine and it's TCPIP implmentation, eg SYN attacks, ICMP ping floods being echoed off of subnets.
Fixing webservers will not stop DDoS attacks.
I believe (I read the article yesterday) that they mention that a menthod of verifying the iTrace ICMP messages will be developed (some sort of PKI perhaps?)
So now every single packet I send can be traced back to me. If I posted this as an AC, it would be possible for law enforcement to floow the leads back from slashdot all the way to my PC.
Thats scary in itself, but since these DOSers hack into machines that might be on the route, with trce software installed, THEY can also find out who I am. They could even fake those logs to make it look like I was responsible for something I didn't do.
Most people don't use IP spoofing anyway. However, you can always use an anonymous proxy service, such as anonymizer.com. So what have we learned? (1) No privacy has been lost here, (2) you had no privacy in the first place, (3) you can GET privacy if you really want it, through proxying, which ITRACE cannot affect.
As far as I can tell after reading the article and the proposal, this doesn't seem to have any significant effect on anonymity for the most part.
A quick summary of the proposal as I understand it: Routers that supported this feature would after sending a data packet, randomly also send an itrace packet to the destination, containing the previous and next hop. The TTL in the packet would always start at 255, so it would be possible to determine how far back along the path the router that sent the itrace message was. Additionally, there would be an authentication system to ensure the veracity of the itrace packets. The IETF proposal suggests that the chance of a router sending this packet would be about 1/20000.
This doesn't affect anonymity. It isn't possible to determine anything more with this system than you would be able to normally, unless the IP address is spoofed. With a spoofed IP address, you might have a chance of determining the real originating host; with a valid source IP address, such a traceback would likely be available with a simple traceroute. Additionally, the packets are only sent randomly and occasionally, so the chances of a packet being sent are pretty low unless you're sending a lot of packets.
What I'm not sure about, however, is how effective this will be. If the chance of an itrace packet being sent is only one in twenty thousand, how many data packets would need to be sent in order for the destination to receive a complete trace back to the source. Obviously, in most typical DoS attacks, lots of packets are sent. Would this be enough, or would itrace only be effective for the largest DoS attacks?
Life is far too important to be taken seriously.
The Mongrel Dogs Who Teach
Paranoids of the world, unite!
Fight hunger. Filet a politician and send him to a 3rd world country of your choice.
That's why NOBODY but crackers use it, NO operating system supports it natively, and NO protocol works under it. Its only use is cracking.
Furthermore, anonymous proxies -- which are already the only way to be both anonymous and useful on the internet -- are unaffected by ITRACE. NOBODY lost any privacy here, except crackers.
It's unbelievable how many people on slashdot do not understand basic networking principles!
No, I've said it before in an earlier post; the only way to solve this IMHO is to let the Hosting providers come together and setup a guideline / rule for all servers being hosted. If they don't meet the security limits its either done for them or bye bye. When these people will stop thinking about money all the time and also give a little bit more consideration to the Net our troubles would reduce enormously.
First of all, the amendment related to guns is the second. Next, that amendment does not give you as an individual the right to own or carry a gun. It gives the states power to arm their militia. By law, this means the national guard. No section of the constitution or the US code allows you to form your own militia and claim the right to carry a gun. This view has been consistantly upheld by the Supreme Court, most directly in US v. Miller, 307 US 174. For a more in-depth analysis, see The Politics of Gun Control, Robert J. Spitzer.
Read Miller again. Miller lost the case because a sawed off shotgun is not a weapon with much military value. There is even some language that infers that 2nd is an individual right.
Also check out US v Emerson which is now before the 5th Circuit. Judge Sam Cummings ruled it an indivual right and it looks like the 5th Curcuit is leaning that way. The whole issue could be before SCOTUS next year.
If itrace sent one traceback packet for each packet that passed through a router, it would far more than double the effectiveness of the DDoS - For every packet that went from source to destination, a new packet would be generated for EVERY HOP! Of course, this is a moot point, since it's only one out of every 20,000 packets that goes through a router. (Of course, this means that if you have 20 hops, a traceback message will come from somewhere in the route every 1000 packets or so...)
retrorocket.o not found, launch anyway?
What keeps a script kiddie from sending spoofed itrace packets implicating every machine on the planet from a comprimised machine?
If you read the article, it addresses this concern:
"ISPs face the cost of upgrading their routers to support itrace, and also the cost of developing the public-key infrastructure required for traceback message authentication. Without fail-proof authentication, hackers can create bogus traceback messages to accompany their denial-of-service attacks."
rage, rage against the dying of the light
moderating today from redmond.corp.microsoft.com
Just the opposite - The DoS packets are spoofed, because they only need to go one way.
As has been pointed out numerous times in this article before, THIS DOES NOT AFFECT TCP STREAMS! If you have a TCP connection, YOUR IP IS ALREADY KNOWN! You cannot combine spoofing with the ability to recieve data. If you want to remain anonymous, use an anonymizer proxy, which itrace will not affect.
retrorocket.o not found, launch anyway?
I hope the writer of the article is confused. If you put your trace messages in separate packets, you'll only be able to trace the DOS as far as the relector machines. That's useless -- we know who the reflector machines are already. If you put the trace message inside the packet payload packet, you've got a much better chance of tracing the entire path without having to ask the guy at the reflector machine to get involved.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
You're falling into the trap of the Politician's Syllogism:
Aren't you posting from the UK ? Right now the UK has the unedifying spectacle of a government simultaneously imposing draconian anti-privacy measures in the RIP bill, yet also having their own secrets exposed by "Benji the Binman", owing to their own complete lack of understanding on basic infosec (shred your rubbish).
We already have many defences against DDoS attacks. The best one is installing Clues in the admins of bozo ISPs (not forwarding RFC1918 is a damned good start), but more robust inbound routing helps too (stateful packet inspection still isn't commonplace, yet it kills things like SYN flooding). We can fix this. Sure, It sucks today, but let the geeks work it out and we'll get the holes patched.
So what are you suggesting instead ? Modem Licences, to go with the Modem Tax rumours you recall so fondly from the Net 10 years ago. The infrastructure is flaking, there are too many cluephobes jumping on the ISP bandwagon, yet you want to start beating up on the users ! I'm sorry if AOL doesn't meet your standards of intellectual superiority (are you a Mensa member too ?), but their cash is as good as yours or mine, and they've just as much right to be here.
If I walk into my local pub and behave like a jerk I'll be thrown out. Cross the road and the same behaviour is accepted as normal; different pubs, different communities, different standards of behaviour. How is your "global net access" going to support that ? I don't want Kansas fundies telling me that evolution doesn't work, and they probably wouldn't want me offending their local ordinances either.
Don't like Grits with your Slashdot ? Lets make moderation work better. Virtual Communities are still a pretty new concept, and we're going to have to learn how to deal with the odd Mr Bungle or BeerGuy.
Personally I think an age limit of 32 is about right. Keeps off the people who don't remember uucp and real netiquette. How do you like that idea ? 8-)
This is not an attack on anonymity. Go read the actual IETF draft. You will see that the only thing it helps with is tracing back packets with SPOOFED originating IP's.
This will help prevent things similar to the attack on kuro5hin. Unfortunately, if attackers are using compromised machines, all it will (or can) do is help to quickly find the real IP addresses of the machines that have been compromised. You see, someone doing a denial of service attack right now can cause the servers they are using to output IP packets that look like they are from somewhere else. When those packets arrive at the target, 10 hops later, it is nearly impossible to find the real machines that is causing the attack. That's what this proposal solves.
This has nothing to do with eliminating privacy or anonymity. Every time you connect to a web site now, they can find out the IP address you are coming from. Duh! How else can they send the web page back to you??? If you spoof your originating address, you cannot have a two way conversation.
IP source spoofing is ONLY useful for denial of service attacks, and that is the ONLY thing this proposal addresses.
The so called solutions you are advocating, like restricting access to the net would be far, far worse for invading privacy. Think about it... how are you going to make sure that only "authorized people" use the internet? Well, you will have to identify all of them. With examinations, meeting criteria, getting what is equivalent to an "internet license"... well damn, there goes privacy! Just like anyone who sees your license plate on your car can find out who the car owner is. No privacy there either. Did you think about this?
The IETF proposal is not a perfect solution. You are correct that there probably isn't one. However, it is a good one and 100% better than your suggestion.
Torrey Hoffman (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
Is IP spoofing really that valuable to you? Or do you just not know what you're talking about?
They're not complaining about the postmark on their snail mail
Just as it is questionable to say that the traditional means of bootlegging music (copying a tape to friends for instance) are similar to Napster, you really shouldn't compare e-mail with snail mail/phone privacy either. Once again it's a question of scale: what you can and cannot do with reasonable amount of effort. In the meat world it's much more difficult to keep track of person's mail and whereabouts and that's why extensive and continuous surveillance has been conducted only on people who are already under suspicion. However, in the net it is much more easy to track a person and -- more importantly -- to do exhaustive searches for suspicious (whatever that happens to mean at the time) correspondence. To my mind this would correspond in real world terms to the authorities opening and reading snail mail at random in order to look for evidence of crime.
I think it is impossible for whoever should enforce this restriction to check on everybodies age or whatever restrictions one can think of. Besides, if they could do that, they would need far more information about you than they can ever get over the net.
This alternative is far more intrusive than the original idea.
2000-07-26 09:01:57 The end of ddos? (articles,news) (rejected)
posted yesterday but rejected...
I think that the reaction to the alleged "loss" of privacy on the net is a little extreme given the cost that privacy is beginning to create. I can live with people being able, provided it is not *too* easy, to get an idea of what I'm browsing, if it means that I can continue browsing it. If the cost is such that 15-year-old jerks with nothing better to do than get cheap thrills breaking things are taking away the services I want to use, then in my humble opinion, the privacy has come at too high a cost.
I don't like making the tradeoff, but I'd rather have a service that was not completely anonymous than be able to anonymously participate in a medium that has been reduced to complete uselessness.
Salocin.com
So routers send ICMP messages about packets they pass on? Well, can't you just flood the target with ICMPs faked itrace-ICMPs, how exactly are the victim supposed to be able to tell which ones are real and which ones are not? And the routers can't really send these itrace-ICMPs about an ICMP, since there is this rule about not sending ICMPs about ICMPs, right?
Discarding all incomplete requests can solve most problems. One packet is enough for almost any http request. Oh yeah I know there're long cgi-bin requests but these could be handled somehow different.
Every secretary using MSWord wastes enough resources
The itrace packets will have an authentication section. Read the ietf draft, it explains some of the possibilities.
At any rate, spoofed itrace packets will be detectable.
Torrey Hoffman (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
john_doe.dialup.isp.com
which can/and would only be assigned by the ISP.
For that matter, can't they tell who is dialed in at any particular time, presuming they are logging all the appropriate information?
BreezyGuy
Eric B
ebresie@gmail.com
At least with names consisting of "i"+$propernoun (like "iMac"), while they violate every convention of capitalization in English, that odd capitalization at least gives some clue as to their pronunciation. Have we really devolved to the point where any word that appears on the internet that has an "i" in front must be pronounced with a long "i" separate from the rest of the word? Didn't someone realize that this coopts the single most used word in the English language in the process and renders it a mere idiot prefix? At least when companies did this with "super", that was a normal adjective.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Please. You'd just step back to the days of wardialing and hacking accounts again, that's all. I actually used to PAY for a shell account that had to be accessed over a hacked link, due to no local dialups 10 years ago. People WILL find a way. Sript kiddies will dust off ToneLOC and be back on the net, probably before you or I finished our licensing tests. There is no perfect solution, to be sure, either we give up some privacy, or, as you say, get licensed.
Problem with getting "licensed", is that we'll have to give up MORE information that way anyhow. Aside from the enforcement angle, making sure that everyone on the net has their proper license, it would get real messy real fast, end up with the worst of both worlds.
I like music
That crisis point you talk about is coming - just wait until all those new top level domains come on line and folks start realizing we're almost out of IP addresses (and given the trend of new IP allocations, we're lucky if IPv4 lasts another 24 months). IPv6 isn't something ISPs and the backbone will move to voluntarily (with a few farsighted exceptions) - it's going to be one of those gun-to-the-head-of-the-business situations that makes life so enjoyable for us spectators.
I love vegetarians - some of my favorite foods are vegetarians.
"Well firstly we need some kind of age limit"
Not only is that completely unethical in my opinion, but also unconstitutional where I come from.
"there is a lot of offenisve [sic] material out there that we don't want our kids seeing" - Speak for yourself, buddy.
"to people mature enough to take responsiblity for their own actions" - I know plenty of people over 18 who don't fit this mould.
Maybe you would like to hear an example where anonymity really is a good idea.
I am, among other things, a student in Islamic Studies in Germany. We have had students who worked in the Middle East under really weird circumstances; for example, there was one in the early nineties who wrote her Magisterarbeit (you'd call it a Master's Thesis) on the internal structure of Palestinian Islamist terrorist organizations. Back then, the internet practically did not exist down there so she communicated back home from public phone booths using a scrambling device. For our students who are there now, I set up an anonymous remailer that I can trust (because I happen to administer it) in our student organization's office, and they communicate happily, heavily using nyms, remailers and PGP.
For these people, any loss of anonymity (such as a "where did these packet originate" solution) means a serious risk to their lives, while their activity is not at all illegal - it's perfectly ordinary scientific research.
So if I pour my bleeding heart every now and then about my rights in the internet arena, it's because I am perfectly conscious that I need those rights (or friends of mine). There are applications where anonymity is a necessity, and these are not necessarily illegal.
Apart from that, I am a little sensitive to statements like Don't do illegal things, and you'll be able to do without the rights that we are depriving you of. May have something to do with my home country's history over the last couple of centuries.
As a state gets corrupt, its laws multiply; the most corrupt states have the most numerous laws. (Tacitus, Annales 3:27)
We keep saying that the internet is great because it creates the free flow of information. The nature, destination, source and size of that information is just more information, which, if the means can be created, can just as freely be collected by individuals.
People protect Napster because it's something that allows information to flow even more freely - good, it's a valid argument and I will defend that argument. But the creation of technology such as this is merely the same kind of development, but the nature of the information is different. Instead of enabling the infringment the rights of people who make music/films/software/whatever, it enables (nothing more, after all it's what you do with it that counts, the makers of the technology can't be held responsible can they?) the infringement of the rights of people sending packets of data.
I think it's hypocritical to say that the internet is great because it allows the free-flow of information and data across the world and then to impose limits on that data flow when it relates to stuff we'd rather wasn't shared. I'm sure the musicians feel the same way about Napster, Gnutella, Scour, MP3.com and all the others.
Salocin.com
We can't let take them our right to privacy too.
Funny, I don't recall seeing an amendment guaranteeing you a "right to privacy."
Ninth:
What you may be unaware of is the fact that there were many people who argued against the Bill of Rights for the very reason you've illustrated: they claimed that it would have the result of effectively restricting what Rights were actually protected because they didn't name them all (After all, in their view, Rights are intrinsic, they can't be granted, they can't be taken away. Everything else is privilege). Amendments 9 and 10 were written to counteract this, but I'm not so sure this was effective. After all, how many cases do you know of that reach the Supreme Court under 9th and 10th amendment claims? They may be there, but they are certainly overlooked by the public.
ufdraco
There are thousands of different servers for different applications out there. Do you seriously want to change the way they work?
Just because HTTP requests are short in most cases does not imply that there is no request-oriented non-DOS service active out there on the Internet that actually uses requests of more than one packet in length. (One might also say "HTTP is not the world" or "The Internet is good for other things than web browsing".)
As a state gets corrupt, its laws multiply; the most corrupt states have the most numerous laws. (Tacitus, Annales 3:27)
Anything else would be like not installing airbags in cars, but instead threatening drivers that cause accidents with more severe punishment.
I disagree. We end up with a fairly ludicrous situation at both extremes.
Extreme 1 - You drove 1 cm closer to the side of the road than was neccesary. The sentence is death!
Extreme 2 - All cars are filled with and surrounded with padding. It obscures your vision, but it prevents tehm from doing any harm to the driver, other drivers, and pedestrians, so it doesn't matter.
In practice, we have a level in between. Cars are fitted with seat belts, but its illegal to go faster than x mph, and to drink more than y. Its a reasonable compromise.
This technology does not affect your privacy !
It will only affect you if:
Itrace will only give useful information about users who are abusing the flaws in the tcp/ip protocol and at the same time are sending lots of data (like syn flooding), and will not have any consequences for the rest of us.
RFC1925
Hmmm. The majority of people don't commit murder. Therfore, there is no need for police.
(Suggested +3 : Incisive) Grin.
I'm sick and tired of good intentions being used to defend bad plans.
Uh, sorry. No. The internet as we know it was built on a large number of assumptions, many of which are simply no longer true. The largest of these assumptions is that there was no reason for built-in security, since the only people using the network were academic types -- and it was true that the various institutions could generally trust each other. But as the network became more open to the public at large, the old assumptions begin to break down. This plan is attempt to fix a single problem in an inherently bad design. Get over it.
---
---
"Go Metallica. Die RIAA." -- Linus Torvalds
Script kiddies don't have enough bandwidth to DoS a major provider, so they use rootkits to crack systems and then use the cracked system as a launchpad for their DDoS attacks, right? Well, maybe a solution is for companies to use a Trusted OS like Argus PitBull, Trusted BSD, (admittedly incomplete) OB1, Trusted Solaris, HP's virtual vault, or find a better match for yourself.
/dev/null 2>&1
Why people use WinNT as a server platform is beyond me. Something like 65% of web-site defacements listed at Attrition.org are WinNT based. That's insane. Linux is something like 20%. I was very surprised at HOW MANY sites are hacked. The internet's infrastructure needs to be improved, sure. But how about securing your system properly?! Argus has even announced a Linux port for their products; it's the only TOS that I've seen even mention Linux. And, maybe someone should push the Linux Kernel developers to finish implementing the Capabilities and ACL stuff that at least partially exists in the kernel (or in patches); this would allow application coders to write non-suid programs that would still have some of the root capabilities (just the ones they need).
I'm not saying that the sys admins are to blame. These decisions are generally not simple technical ones. However, everyone needs to be educated about the products that are available to protect themselves and others (in the case of DDoS's). If you're a sys admin, educate yourself and pass it on to your boss. They may not get it, but you should at least try.
Just my $0.02.
$ flames >
---------The early bird gets the worm, but the second mouse gets the cheese.
One is for generating statistics on who is contacting your site and from where. Just collect all the itrace packets that hit your network, and you could get a statistical map of which routers on the Internet send the most data to you. With a little knowledge of the location of these routers, you could generate a statistical average of the logical and/or geographical distribution of your readers/clients/customers/whatever.
This might be handy if you're a big site and you are considering putting up another mirror, or switching to a new ISP to better serve your customers. You could base your mirror location and/or your ISP move on real statistics rather than educated guesses. And best of all you don't have to collect any personal information about your users to do it.
Actually spoofed packets are useful in not-so-evil manners. I'm working on an anonymous file transfer protocol that depends on the ability to hide the return address. That is you, can send a file to someone without them knowing where it came from or trace it back to you. There are two levels of anonymity :
1. You send packets directly to the target host using UDP with a spoofed return IP address of 0.0.0.0. This method can work to receive packets from behind a firewall with a SOCKS 5 server. Since this doesn't use ICMP it's not effected by itrace.
2. You send packets inside of an ICMP message to a random host on the net. The ICMP return address contains your target host. This is the most secure method, but you could end up pissing off some unwilling participants. You can reduce this by spreading the packets across a lot of host.
The astute reader will note that both methods use lossy transmission (UDP and ICMP). So a communication channel must be setup where the target can report lost/missing packets. Since this protocol is specific to file transfer, lost packets don't need to be reported individually and so they are clumped together and passed around a chain of computers (ala a gnutella-like network). The sender eventually gets the updates and resends the remaining packets.
Itrace could possibly effect method #2 making it more easy to trace a packet back to the source. But it really cannot isolate the sender to more than a subnet unless it is installed everywhere. There is too much equipment out there now that will never be replace to make this a reality.
-- Virtual Windows Project
Great,
another reactionary response to a well reasoned post. Most of us don't want to take your precious guns. What most of us want is some form of regulation that governs the ownership of all types of firearms. We want these regulations to help keep guns OUT of the hands of criminals. If all manufacturers and gun dealers were held accountable for all of the guns that they sell and manufacture, you can be sure that the guns in the hands of criminals will be greatly reduced.
If I use a car, knife, spoon to commit a crime should the manufacturers of these objects be held accountable because I am a criminal?
Many legal gun owners feel that regulation is to keep THEM in check, and have some paranoid notion that the government will someday roam the country, dumping everyone's guns in a big dumpster. Wrong. The logistics of such a suggestion will never be possible.
I am sure the residents of Australia thought the same thing until they had to watch there guns being destroyed by the thousands. Legal gun owners think the regulations are there to keep them in check because they are the ones that will follow the law. Which makes them the only ones that will be affected.
In any major city in the US, criminals buy guns from two sources. Disreputable-but-licensed gun dealers, and pawn shops. There is no Miami Vice-style gun dealer pulling up in the 'hood in a Ferrari to show off the latest rocket launcher. In nearly every case, it is Billy the Hoodrat who buys a trashbag full of $50 guns from some disreputable licensed dealer.
It is clear that regulation, licensure, and recording of all sales through a licensed dealer, will create a trail from a gun's manufacture to disposal, which can only serve to keep the guns
out of the hands of criminals, while hardly impacting the right to own a gun.
I don't know first hand how most criminals get the guns they use, I would however guess it was by breaking one of the many laws that are already in effect. I have seen first hand that criminals will break into a house and steal only a firearm. It always amazes me that people think passing a new law will magically make criminals behave and stop breaking the laws. We call them criminals for a reason. We don't we enforce the laws that already exist. Let some harmless pot-heads out of jail to make room for real criminals.
So it's a useful first step, and the one that has to be widely deployed before anything else can be done. Good work by the IETF.
This may allow detection of most kiddies with their DDoS and fries kit downloaded from McHacker, but you can easily avoid detection by using onion routing
See www.onion-router.net for information, although they have just taken their net offline as they have concluded their experiment.
To quote:
The Onion Routing research project is building an Internet-based system that strongly resists traffic analysis, eavesdropping, and other attacks both by outsiders (e.g. Internet routers) and insiders (Onion Routers themselves). It prevents the transport medium from knowing who is communicating with whom -- the network knows only that communication is taking place. In addition, the content of the communication is hidden from eavesdroppers up to the point where the traffic leaves the OR network.
Cheers!
--
Before going off and critising this, take note of these two points:
1 in 20,000 packets will be affected. So its not as if every packet you sent is affected.
All it does is send the what the router knows of the packet to the destination.
In other words, if you are surfing slashdot, every once and awhile, slashdot will get a itrace packet saying that 1.2.3.4:1234 destined for slashdot.org:80 was routed through me.
However, if you are surfing slashdot, then slashdot ALREADY knows your ip address. This only affects you if you use spoofing to send packets out. And remember, spoofing is (basicaly) connectionless. You can't connect to a website and get a page (or ever request a page) with a spoofed IP address. You can only send out individual packets that have a spoofed from address.
So, how does this affect my privacy? Well, if I do lots of DOS attacks, or spoofed portscans, then occasionaly the site I'm attacking will find out some of the routers I'm going through. If I'm a regular joe blogs, surf porn sites on company time, and generally do things I don't want the public to know about, then some of the places I visit will find out occasionaly which router I go through. However they can get this information really easily via a standard traceroute.
So in the end, it has VERY LITTLE affect on privacy, except of those who are trying to spoof their return address (And spoofing your return address is 90% of the time used only in attacks. (Occasionally it could have a legitimant purpose, but if it did, then you shouldn't care if the other site figures out who you are)).
As far as I can see, its generally a good thing(tm), though they'd better get the authentication right, else it will become useless.
Oh, thats one thing, if the authentication isn't good enough, then you'll be able to fool some sites into thinking you are routing through a different router. However this only brings us back to square one, no futher.
---
I use to have a funny sig, but slash cut it off, and I forgot what the punchline was.
Had you read the story that was linked to in the article, you would have read that itrace messages would only be sent for 1 out of 20,000 ICMP packets. Because of the size limitation of ICMP packet, they are only useful for diagnosing network problems, or as we have seen, for flooding a site to a point that it is unusable, or as we call them, Denial of Service attacks. Besides, unless you're IP spoofing, the administrator of the target network can already figure out where you're pinging or tracerouting from. The same is true for about any type of IP connection you make. Itrace really has no affect on privacy. It does, however, have an effect on people IP spoofing and lauching DoS attacks. Besides, I'm not entirly sure that I'm not responding to a troll. :)
--
Intelligence is definitely a recessive trait.
There used to be a time when it was normal that netizens could be traced back and identified. The advent of dialup accounts and free providers have put an end to this, and I've always felt that that was a Bad Thing for the Internet. You now have all sorts of anonymous cowards who conduct mischief and are a nuisance.
I'd say that every initiative to restore a bit of the old traceability paradigm is an initiative to be welcomed. If you can't stand that, you have the option of not using our (the other netizen's) infrastructure. In that case I wish you good riddance.
Maybe it's time to restrict who has access to the roads.
Isn't that what driving licenses are for? I'm suggesting a similar thing for the net. You wouldn't let your 5 year old son drive a car, why let him online? Both are dangerous in their own ways.
You further make the insiduous claim that average AOL users are script kiddies; this is a cheap, elitist attack that doesn't in the least help your argument: AOL users aren't anonymous.
What have AOLers ever added to the net? Even if they're not all hackers and script-kiddies, they're certainly a drain on bandwidth. Remember how the net was ten years ago?
We don't want our kids to read about bomb-making until they reach the age of 18 and are magically wise.
Well frankly, no. Kids can't be trusted to make the right decisions until they grow up. Why do you think we have age limits on things?
the nations of the world would unite behind a plan to make the Internet available only to the master race.
I think you're overreacting - all I'm after is a bit of politeness and less script-kiddies, not for some fascist dictatorship in control of the net.
Seriously, why are you so intent on kicking off users?
If you were in a restaurant and someone starting kicking tables over, they'd get thrown out. Same principle. Besides, prevention is always better than a cure, and it is prevention that I'm in favour of.
---
Jon E. Erikson
Jon Erikson, IT guru
OK, before everyone gets up on their horses....
Firstly I support internet privacy totally.
Secondly this inititive does not erode that.
Read the article, and you find a few things...
1) itrace packets are only sent approx 1/20000 packets through a router, greatly reducing any traffic analysis benifits from monitoring itrace packets
2) the packets go to the destination. So only your destination and points between can read the itrace packets, but they can read your packet anyways, so no biggie.
Ergo, the only time an itrace packet will tell anyone anything more then they would know by looking at the IP header of your TCP packets is in the limited case where the IP address on the packet is forged.
Now why, you might ask, would you want to forge a IP address? Good question. Remember if your IP address is wrong, no return traffic will reach you. The 2 cases I can think of are:
1) doing a TCP hijack attack, and due to the probable low volumes (telnet doesn't generate THAT many packets) in the hijack stream the chances of getting caught by an itrace packet is pretty slim.
2) performing a DOS attack, which is pretty much totally evil.
3) doing a portscan with a decoy. You might get your fingers slapped here. Lifes a beach.
So, as far as playing on gnutella, or posting as AC on slashdot is concerned, you don't loose anything to itrace in terms of atonmymity that you hadn't already lost by having your IP address on a packet.
I hope that clears things up somewhat and avoids a flame or two.
----
Remove the rocks from my head to send email
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
...so could someone explain how this works? Specifically, what about the "last mile"? I think I understand that "once in a while" a router will send some extra info with a packet saying who IT got the packet from. But if I'm spoofing, won't the FIRST router be wrong to begin with? Or does my connection to the first router have to be legitimate in order to insert fake packets?
In any case, this doesn't really solve the problem. The black hats can still crack large numbers of machines (as long as, if they are spoofing to do so, they do it in under 20,000 packets) each of which can launch a non-spoofed DoS attack. No sysadmin is going to trace each of these DoS'ers back individually. And it can't be automated, remember, because the large set of machines is not spoofing.
--
Give us our karma back! Punish Karma Whores through meta-mod!
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
As TheZombie says, egress filtering can be used to stop spoofed IP's.. That's not tough. There is also a product called GaurdianNT (Yes, NT, though I am sure there are comparable products for other platforms) that will allow for an admin to alot a certain percentage of bandwidth to each computer hooked up to a network. That combined with filtering and education for the admin (cuz come on, would any of your networks been broken into and had these "zombies" installed on your machines?) would solve the problem.
The problem is not the architecture of the internet, it is due in large part to ignorance. A lack of knowledge on your own networks security and a lack of knowledge about the tools available to you.
OItinfoilmedia
What keeps a script kiddie from sending spoofed itrace packets implicating every machine on the planet from a comprimised machine?
www.eFax.com are spammers
instead of a "Redundant".
What say you moderators cut him some slack here, ay?
Privacy is a right, it's also a bit of a luxury in certain cicumstances, but it also causes a lot of hassle as it empowers vandals.
But what it comes down to is that there is no equivalent of putting aitbags in cars for the internet at the moment and we nevertheless want to stop the DoS attacks, therefore we go at the problem with the only lever we have available to us - removal of anonymity.
I wonder if removal of anonymity is the same as removal of privacy. We have no right to anonymity as far as I know, and only by arguing that the two are the same can we justify keeping the internet untraceable. Hmm - what do you think?
Salocin.com
Recently, most DOS attacks have been difficult to stop due to a flow in the stable cisco IOS versions, which allowed non-intial fragments , even you only had one "deny all" access list. ... has not been successful so far. DH.
Cisco has been working on this and a fix should be widely spread soon.
However, I am not sure how those ltrace ICMPs will tackle partial IP packet DOS, which mostly result in CRC errors on the attacked host.
Resolving the spoofed attacks problem is certainly a good step forward, though. As of now, the only way to do it is trace the packets from one router to the other until the source of the traffic is reached. Too often, this source, is itself a victim (hacked host). Besides, going from one router to the other requires coordination between ISPs, which
The ability to know the IP of the person sending you packets is NOT a privacy violation. There are already ways to send information anonymously; what possibly use could IP spoofing have?
For example, some ISPs (like us) have border routers that drop packets that have a source address different from the netblock that ARIN assigned us.
Yes, the problem here is that it's difficult to get 100% of the world to do this. How exactly would ICMP traceback have any better luck? It does less to solve the problem and still faces the same penetration issue.
If you made it impossible to spoof packets, attacks like smurf would become impossible and other attacks (such as SYN floods) would become much more difficult.
*shrug*
It sounds useful, but I can think of better ways to stop DoS attacks.
First Echelon, then Carnivore, and now yet another attempt to track the actions of average citizens on the Internet.
Wait, I thought they said "perpetrators of DDoS attacks".
Sure, stopping DDoS attacks sounds good in theory, but so does stopping "child molesters" or "foreign spies."
Uh.... Those sound good in practice, too, I think. Do you have any reasons to the contrary?
Like we need more information about ourselves being handed out online.
Like anyone even cares about what you do online. I'm constantly amazed by the number of Slashdot readers that have delusions of government agencies tracking their every move online, reading their every email, and so on. "They" just plain don't care about most of you. Get it? It may be comforting to have these delusions that you are somehow significant, but I'm pretty sure that nobody here is important enough for "them" to care about.
And then there's the everpresent question of just who "they" are.
I'm sick and tired of good intentions being used to defend bad plans.
Well, that's wonderful, but I don't see any good plans coming from you. If you don't like the plan, come up with a better one.
People have gotten away with taking our guns (protected by the Third Amendment)
Second.
We can't let take them our right to privacy too.
Funny, I don't recall seeing an amendment guaranteeing you a "right to privacy."
The majority of net users do not conduct DDoS attacks. Therefore, there is no need for an anti-DoS ICMP.
The majority of citizens do not commit murders. Therefore there is no need for a police homicide unit.
Then I had better not try to build a road.
--
Someone please explain this to me. This is intended to hamper DDOS attacks, right? But in a wide-scale DDOS attack the attacker has compromised tens or hundreds of computers in different subnets with totally different locations. So if he sets these boxes to start DOSing each at a certain time one after another each using a dynamically spoofed IP, what good is it to know where the attack is coming from if you're having hundreds of attacks from hundreds of subnets coming at you in a short interval of time? How are you going to shut them all down instantly to stop the attack?
Karma Police, arrest this man, he talks in maths
He buzzes like a fridge, he's like a detuned radio
[an error occurred while processing this directive]
I would like to shed another point that could possibly make this itrace ICMP message quite useless, or destructive. Note, I am not an expert on the workings of the ICMP itrace packet. I just know enough of IP and the workings of routing / firewalls / ICMP to see there may be flaws in IETF's planning.
r f.html), etc..
1. Possibility for using itrace messages for malicious attacks
Because the ICMP packet is just another IPv4 packet, there is just as likely a risk that the originator can use this packet type as a way to DOS a system, but flooding the system with itrace packets, like smurf(http://www.cert.org/advisories/CA-98.01.smu
By opening a new, valid form of ICMP, firewalls that are used to block all non-productive ICMP traffic will have to be changed to block iTrace packets, hence eliminating its use.
2. The ways to stop itrace from working
The itrace packet will be susceptible to the same ill's of source spoofing that any other packet could. If one wishes to stop an itrace packet from finding the source that sent to, the originator could send a slew of itrace packets from varying sources, making any response useless.
3. The effects to routers and IP Stacks
In order to implement itrace effectively, all IP Stacks and Router software in the world may have to be changed to allow the tracing of these new message types. Firewalls shouldn't have a problem letting them through as long as the ICMP 'type' field can be specified in a filter. If itrace is not implemented directly into the stack, some stacks may throw the packet out as being 'mal-formed', which is another form of network attack.
4. Firewalls, NAT's, and the risks that itrace poses
The point of a firewalled system is so that hosts behind the wall will become protected, or even anonymous to the world at large. There are two decisions that network engineers have when the itrace packet is implemented.
They can let the packets enter the firewall, and run free. This can lead to DOS and smurf like attacks inside the network, and could cause a good deal of havoc. Also, letting itrace packets in and out of a firewall could seriously jeopardize the security of the private network, by using the itrace responses to reconstruct the layout of the internal network.
The other choice was to block any itrace packets from entering a firewalled system. This is what admins will likely do for security reasons. When a itrace request to find a host enters the firewall, the best that would happen is that the firewall would bounce a negative response saying that the firewall wouldn't let the ICMP message in. The worst is that the itrace message just gets discarded, in which case, the source of the itrace message has no idea why the trace failed.
5. Changes to IP Stacks and server/router loads
The problems presented had to do with a system that has been accepted and implemented. This problem has to do with the feasibility of such a system.
Just imagine a root router. It is pumping out hundreds of thousands of packets a minute. All of a sudden, a spoofed packet enters the router, and the leaves to its next hop, which is a host that the packet is DOS'ing. The router has to know which 'home' that the spoofed packet came from. That means that the router will have to keep track of every packet that comes and goes from the machine, in order to properly route the itrace packet to its next hop.
Conclusion
So, now I hope you all can see the ill's that the itrace packet type will lead to in the scheme of things. My best suggestion would be to wait until IPv6, when all routers, firewalls, and IP Stacks will be rewritten. At that time, architects could find reasonable ways around such a problem.
Bye!
What we need, therefore, is a sensible way of preventing the 15-year-olds with a lack of sense from causing damage.
Hence, A solution that makes the Internet itself less vulnerable to this sort of attack is to be preferred to anything that leaves the overall vulnerability of the Net at its present level and only aims at revealing the intruder.
Anything else would be like not installing airbags in cars, but instead threatening drivers that cause accidents with more severe punishment. It may serve the cause to some extent, but the alternative is definitely preferable
As a state gets corrupt, its laws multiply; the most corrupt states have the most numerous laws. (Tacitus, Annales 3:27)
This is so far from being a perfect solution that I'm bound to miss something out of this reply, but here goes.
Exactly how do you restrict access to the internet without binding an IP address to a person even more closely, thus losing any chance we had at anonymity?
If you want a private network, why don't you set up an isolated MAN? You will be free to enforce whatever screening process you desire - but leave the internet out of this.
I don't think you're trolling - but you don't seem to understand that personal morality is personal.
Hamish
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
This would stop address spoofing right now, all ISP's should implement this. So what are the chances of getting ISP's to roll out itrace if they don't even bother to try and fix the problem in the first place.
/. but maybe a few lawsuits against ISP's not implementing egress filtering might change the current situation. Maybe implicating them due to negligence or some such.
I know I won't be popular here on
"Because we are not employing at entry level, offshoring will kill our industry stone dead."
Every secretary using MSWord wastes enough resources
You're confusing causation and correlation. It's also happened since (a) script kiddie tools became widely available, (b) users with significant home bandwidth have become common, (c) non-web media have given attention to, and to an extent glorified, 31337 behavior, and (d) 17" monitors became popular. You further make the insiduous claim that average AOL users are script kiddies; this is a cheap, elitist attack that doesn't in the least help your argument: AOL users aren't anonymous.
<sarcasm>Right! What we also need to do is restrict libraries to adults 18 years of age or older. We don't want our kids to read about bomb-making until they reach the age of 18 and are magically wise. There's so much offensive material in the library, after all.</sarcasm> <sarcasm>Another great idea! Let's create some powerful organization to kick impolite people (by their judgment) off thenet. Also this organization, which everyone would gladly accept, would be empowered to remove inferior users. All the nations of the world would unite behind a plan to make the Internet available only to the master race.</sarcasm>Seriously, why are you so intent on kicking off users? It's childish and vindictive behavior. It's neither practical, nor IMHO desirable in a free society.
--
Gates' Law: Every 18 months, the speed of software halves.
It only takes one router between the attacking host, and the victim host to have the right filter to stop the spoofed packets.
with itrace, if only one router in between is logging packets, all you will know is that the packet came through that router, so you are only slightly closer to the original source, especially if that router has several networks connected to it. With egress, that same router will have stopped the spoofed packets.
Another constitutional problem. Okay, here we go...
First of all, the amendment related to guns is the second. Next, that amendment does not give you as an individual the right to own or carry a gun. It gives the states power to arm their militia. By law, this means the national guard. No section of the constitution or the US code allows you to form your own militia and claim the right to carry a gun. This view has been consistantly upheld by the Supreme Court, most directly in US v. Miller, 307 US 174. For a more in-depth analysis, see The Politics of Gun Control, Robert J. Spitzer.
The free speech issue is trickier, and I tend to agree with you that it's an unconstitutional prior restraint on free speech. The SC has held that unconstitutional for most of the century, and the current court is on a defend-free-speech-and-reduce-the-power-of-Congres s roll, and would likely strike that law down if a challenge reaches them. I'm sure the ACLU is pursuing this.
Now, the much quoted "right" to privacy is a tough one. First, there is no right, as there is a right to free speech. Privacy is not in the bill of rights, nor protected elsewhere. However, in deciding Roe v. Wade 410 U.S. 113, the Court said there was a "zone of privacy" created by the Third, Fourth, and Fifth Amendments. This right extends only personal rights that can be deemed "fundamental" or "implicit in the concept of ordered liberty," Palko v. Connecticut, 302 U.S. 319 , 325 (1937), are included in this guarantee of personal privacy (quoted from the Roe v. Wade decision). This means your surfing with the illusion of anonymity is not protected, and launching a DDoS attack most certainly is not.
The constitution is the highest law of the land. Try and understand it before you spout off about it. /rant
Please point out where you got that idea !
The itrace solution it a tool to help tracking down the source of the attacks, and as such, only requires a few (~30%), routers along the route to have it installed. Heck, it's even enough that *one* router has it installed, as long as it's the *right one*
. The fact is that the irtace solution does not require everybody to install it to be helpful, and that's where it differs lightyears from currently proposed solutions (i.e. filtering at the originating site)
--
Why pay for drugs when you can get Linux for free ?
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Right, and who is going to be responsible for determining who is allowed to stay and who should go? Are you going to be that person? Why should you be allowed to access the net if it really is just a place for offensive material?
Wonderful! First of all, I don't see how anybody can enforce that, and even if you could, nobody should dictate whether or not my 10 year old son is allowed to surf the internet. That is for me and my wife to decide, and should be based on the level of maturity, respect and tolerance that a particular person has, not merely on age.
The only "examination" that would work is to educate the people using the Internet properly. And by properly I mean, that they learn the values of respect and tolerance for all those other cultures, groups of people, ethnicities, etc. that are able to coexist in the Internet thanks to precisely the opposite of what you are advocating: NO big grother imposing his/her criteria upon them.
The "perfect solution" that you talk about is pretty clear. Live and let live. Be tolerant and open as to what you can find and learn from other people, and don't think that you have even a glipmse of the truth, because the truth as such, does not exist.
This itrace crap will be used for legitimate traceroute type stuff and I imagine for network mapping also. Anyone have any ideas on how this can be used in a sysadmin's network toolkit (besides finding DoS attacks)?
--
Gates' Law: Every 18 months, the speed of software halves.
Not exactly. Note that the information is recorded statistically in the headers. If you only send a few packets like a normal human being you won't be particularly traceable. On the other hand, a massive download is going to be quite traceable and therein lies and important question from the point of view of anonymity.
Now, particular this development is as inevitable as people locking their doors and putting in security cameras in a big city. There is *no way in hell* that we will be able to prevent it. I'm of two minds about it. On the one hand, I am a big supporter of the principle that the only way to gaurantee freedom of speech on the net is to have technologically-enforced anonymity. On the other hand, I think script-kiddies are scum of the earth. On the third hand, I think script kiddies, like roaches, at least perform the useful function of showing us where the weak spots in the net are.
--
When all you have is a hammer, every problem starts to look like a thumb.
Correct me if I'm wrong, but from the article, we're looking at a best case of two years before we see this. They say that they're only presenting in January 2001, and :
In the best-case scenario, the itrace rollout will take 18 months.
In that time, shouldn't we be approaching IPV6 time anyway, and doesn't IPV6 already have mechanism in place to prevent spoofing of address headers, making the trace a lot easier using traceroute? Maybe I'm being thick, but this looks redundant before it even gets going.
/* Wayne Pascoe
I can really say that I am an expert on these things, so is the a privacy issue here??
--
Jimadilo
Jimadilo
'... I was here, you just didn't see me.'
It wont be a burial, tho. They're just gonna leave me there where I land..There'll be no grave to dance on. You're welcome to ride the water slide, tho. I figure the videotape sales will cover the cost of building the slide and everything else.
:)
I don't plan on charging admission, tho. I believe in open-source funerals. You're welcome to attend for free, but show up early -- parking's a bitch here in Tucson.
Bowie J. Poag
Bowie J. Poag
Hmmmm..... Let's see.... I'm an ISP I install this on my router. A DoS attack begins from some of my clients systems. (Lets say these clients don't care about security.)
I start getting calls from an ISP about DoS going through my router.
Options available to me:
1. Shutdown the clients access.
2. Uninstall features on router.
3. Spend endless effort to secure my clients systems.
4. User current technology and stop relaying of spoofed IP's which do not belong on my network. Advise client his system was hacked.
Option 1. Will cost me a great deal of money. The cleint will go to the competition. Problem not resolved. DoS attack continues
Option 2. Costs me nothing. Saves headaches due to downstream ISP's problems. (since my router is not the one reporting the problem).
Option 3. Not!!!! Who works for free? It will always lead to option 1.
Option 4. If I am knowledgeable enough I would have installed this software/feature/configuration a long, long, LONG, time ago.
We have the solution already. We need a means to enforce it. I guess a lawsuite here and there is what we require to force all ISP's to implement option 4.
If the upstream ISP's do not cooperate, DoS attacks are here to stay. Sad fact.
DRM? No thanks, I'll just get it somewhere else...
I am no expert on constitutional theory, but isnt the right to bare arms the 2nd amendment?
Good point - I believe that this is what RFC2827 partially attempts to address.
----
----
Slán leat agus go n'eirí an bóthar leat
As far as I can see, its generally a good thing(tm), though they'd better get the authentication right, else it will become useless.
Some kind of authentication can be achieved using packets that are transmitted with a TTL of 255. If you get a packet with a TTL of 254 there is no way it could have been sent from a host further than one hop. Lots of routers need to be upgraded for itrace, but ALL routers decrease the Time-To-Live field. I wonder how this could be effectively extended to longer distances.
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
I don't think that age is necessarily the correct criterion here; maybe some sort of exam instead. I know plenty of 18+ year old people at work who can't even handle not clicking on an email that's a virus, whereas I'm sure there are plenty of 10 year olds who have figured that out. A 5-year-old behind the wheel is a danger to others, but a 5-year-old loose on the Net can really only hurt themselves. And with proper parental guidance, that danger can be minimized. As far as stuff that children shouldn't know about, I'll be making that decision for my children, thanks very much.
Your right to not believe: Americans United for Separation of Church and
Unless you live in Texas, whereby, I believe you have the right to bare arms and create your own private/state miltia. Like it or not, I think Texas is the only state where that's expressly granted.
Don't worry, this guy is just a troll. Remember, NPO stands for Natalie Portman Obsessives.
Don't Feed The Trolls.
Friends don't let friends use multiple inheritance.
Restricting people like Joe Sixpack unless they meet some kind of strict safe-driving criteria wouldn't be too bad of an idea to me... perhaps it'd keep the morons off the road a bit? well probably not... but anyway...
the real at&t mix
That was an absolutely stunning comeback. Try again.
Bowie J. Poag
Bowie J. Poag
What, give up? Man.. Beating down the twits is easier than ever. :)
Bowie J. Poag
Bowie J. Poag
Ok - so you want to browse anonymously.. Well firstly, why? I don't see the point. Secondly, nothing's stopping you - do the same as you would if you wanted to make an anonymous telephone call - use a phone box, or a public internet access point.
I'm stirring a little, but I get tired of people pouring their bleeding hearts over rights in the internet arena that they lost in other arenas years ago. They're not complaining about the postmark on their snail mail, or the telco's ability to see their phone numbers, or the CCTV in every store they "browse" in, or the bank recording every time they use their credit or debit cards, along with the name of the shop, time, place and everything else. You don't want to be on the store's CCTV tapes, don't go in.
Salocin.com
Another attack on anonymity from the very people responsible for the architecture of the net. Is this what the net is coming to? Unfortunately, I think it is - just look at the recent attack on kuro5hin for an example of the childish, vindictive behaviour some people seem to delight in.
Anonymity is a desirable feature online, but it is one that is ripe for abuse. Whilst it allows people to use the net without fear of some "Big Brother" organisation storing their every click it also allows 15 year-old kids to DDoS websites with impunity. Getting rid of anonymity is one solution, but it's one that will do more harm than good.
So what is to be done? Maybe it's time to restrict who has access to the net. Since services like AOL and CompuServe made it easy for Joe Sixpack and his family to get online we've seen an exponential growth in website defacings, DDoS's and general abusive behaviour. If people were not allowed to access the net unless they fit certain criteria we could reclaim it from the scipt-kiddies.
What criteria would be appropriate is the next question. Well firstly we need some kind of age limit - 16 or 18 would seem appropriate since there is a lot of offenisve material out there that we don't want our kids seeing. It would also restrict the net to people mature enough to take responsiblity for their own actions, which can only be a good thing.
Secondly there should be some kind of examination process to weed out those people who aren't desirable. This should allow us to ensure that people know to be polite and would also allow us to teach people things like "don't open every attachment you receive in the mail" which would make everybody's life better.
This isn't a perfect solution, but I doubt there is one. Still, we need to do something and this could be it.
---
Jon E. Erikson
Jon Erikson, IT guru