Posted by
ryuzaki0
on from the this-is-gonna-get-interesting dept.
ebresie writes "Here's an interesting article about a new technology that is being developed by the IETF. It's being called itrace. This is basically an ICMP Traceback Messages." There's a lot in this to think about.
Cool. This research was mentioned here before.
by
Nygard
·
· Score: 2
I thought that the work sounded familiar. Stephen Savage, who was quoted in the article, has been seen here before.
I remember being very impressed as I read his paper. His key realization is that not every packet needs to be traced. With a large number of packets, only a tiny fraction need tracing information. Yet, the target of attacks (who is receiving 10^6 packets a day) can build an accurate picture. Brilliant.
-- "Genius may have its limitations, but stupidity is not thus handicapped." --Elbert Hubbard (1856-1915)
For all the peoplw who whine about 'privacy'. There was never any guarantee on the internet htat people couldn't trace where packets were coming from. The fact that IPv4 allows forged source addresses... well.. there was simply no need to check them.
Why would people have a problem with this? It means if you send spoofed packets, the routers along the way can *still* figure out where the hell it came from (instead of having an admin at each hop do the trace manually).
It's already in the specifications
by
AshPattern
·
· Score: 3
A friend and I were trying to figure out how to trace the DoS attacks ourselves, so I came up with an idea - why not use some of the unused space in an IP header to store the ip address of the edge router? With that system, the evil Cruft couldn't send a single packet without having a real ip attached to a geographic location.
We were going to write an RFC and become famous.
Then we found that it was already covered in an RFC, already in the IP protocol as the "Loose Source and Record Route."
Force router companies and ISPs to use that particular header option, and the whole accountability problem is solved while preserving anonymity.
Re:It's already in the specifications
by
Animats
·
· Score: 2
That was considered, but has the problem that an attacker can generate packets with phony route recording info already present, preventing the addition of new data.
ISPs can solve the spoofing problem RIGHT NOW with tools available today: egress filtering. The ISPs I run have egress filtering on ALL routers (border and internal) so not a single internal host can send a packet unless the source address is at least within the same subnet. Makes more sense to me than inventing another ICMP standard which requires all router manufacturers to update their software, and all ISPs to upgrade to the newer software.
And countries can solve the DOS issues by better educating their pupils. Easier said than done. Try to reach each and every tech which ever had configured a router, and explain him.
Without IP spoofing, attacks like smurf become impossible. The only way you can DoS a site when your IP can't be spoofed is via a direct flood of traffic. Sure, you can coordinate the attack between several compromised systems, but without amplifiers such as with smurf, it's considerably less effective, and you announce the IP of every one of your intermediaries in the process, which means it'll probably be unusable as soon as the complaint gets back to the owners.
I agree but does that solve anything where DoS is concerned? I don't think it will. Offcourse there will be enough weenies who suddenly get very nerveous about the idea that their real IP adresses can be traced. But so what? There are a dozen free ISP's out there which you can use. If one account gets traced use another! And then there is the tracing. I don't believe that a server which has been hacked to install a DoS exploit will be capable of reproducing logs which lead to the attacker. Incapable if the rootkit used by the kiddie fixed that offcourse. Personally I strongly doubt if those kiddies are capable of manually removing these traces in the logfiles.
Most decent dialup hardware is 100% digital anyway, so you have equipment sitting on ISDN lines capable of answering ISDN calls but serving up analog connectivity as well, so ALL calling numbers are available and can be logged or used in the fashion you mention. This level of logging is a common practice among most responsible ISP's.
Hey, you're welcome. I sorta got tired of having a 60+ Karma rating.. I've managed to drop it down to like 30 or so within the course of just a few days just for fun.:)
Seriously now, considering that every packet has a source and destination IP address, adding some instrumentation to verify that source addresses are not spoofed has zero impact on privacy.
It does raise the bar, so the next steps in the cat&mouse game include ever-more-diffuse distributed attacks to avoid more ever-more-watchful intrusion detection and traceback mechanisms. Is that a bad thing? No -- it is a good thing to make successull attacks more challenging.
A little more background reading:
Stefan Savage, Practical Network Support for IP Traceback a technique for tracing, but requires a little packet marking/mangling which makes it unlikely to be adopted. Clever, though, I'm sure some of the ideas will fold into itrace.
Other efforts in traceback involve perturbing the source of floods (e.g. by hop-by-hop reverse flooding) and watching the statistical properties of the flood at each step.
I'm not talking about logs (and even so, the percentage of hax0rd boxes that are truly without logs or other evidence of intrusion are probably smaller than you think).
I'm talking about real-time monitoring of network traffic and system usage. If someone's able to track the source of the attack back to a hax0rd system, all the competant admin has to do is fire up a packet sniffer, protected netstat-type utility, whatever, and figure out where YOU are connecting to this compromised machine. Since this connection is unlikely to be spoofed, the source address is guaranteed, and he can proceed to contact *that* ISP. Repeat if necessary.
This seems to be an application of the technology described in that one paper on storing trace information in packets in a backwards-compatible way, that slashdot had a while back. I now can't find the article. Some guy described the whole process of how one could squeeze the information into unused parts of packets.
So now every single packet I send can be traced back to me. If I posted this as an AC, it would be possible for law enforcement to floow the leads back from slashdot all the way to my PC.
Thats scary in itself, but since these DOSers hack into machines that might be on the route, with trce software installed, THEY can also find out who I am. They could even fake those logs to make it look like I was responsible for something I didn't do.
I don't see how this can work. Every time I log on to my ISP I'm assigned a different IP address and I'm willing to bet that they don't keep a log of these.
They do. I'm sure there are some exceptions, but not many.
That's how they identify people violating their acceptable use policy (spammers, script kiddies, etc).
They are able to track undesirables without the help "itrace" because practically all non-DDoS activity requires legitimate source addresses on the packets in order to complete the TCP three-way handshake.
This attitude always makes me smile a little. People assume that the Internet is currently anonymous and that technologies like itrace will somehow throw that anonymity away. The truth of the matter is, is that currently if you use the Internet in a normal fashion whereby you are receiving data, you are traceable. If you want anonymity then I suggest you use an anonymizer - it's what they're there for.
Also, if you had read the article fully you would have realised that not every packet you send will be traceable - only one packet in 20,000 will cause a traceback message. This means that normal activity is unlikely to cause many traceback messages, whereas a full-on DoS will get spotted easily and be traceable. This is important because if every packet caused tracebacks, then a DoS would be twice as effective (think about it).
And lastly, we come to the fact hackers might be able to spoof tracebacks to make it look like it came from you. Again, if you'd read the article you'll realise one of the technical challenges in implementing itrace is the PKI platform that will have to be built for authentication purposes, to ensure spoofing of these messages is not possible.
Actually even though we (I work for a middling-sized ISP) keep radius records of users connections and which POP they access from, It's not because of a privacy issue. Sure I've been called out by the State Police to track down malicious email, threats, harrassing websites, etc... But the primary reason is that way when (l)users call up asking how long they've been on for a month, we can tell them. Also, say they claim they stopped using their account the first week, but we have transactions of that account coming from a different area for the rest of the month, we can tell that the account has been compromised.. Trust me, as a net-admin, I have far better things to do than run a tcpdump on each of my Ras-boxen to see who's seeing whom's dirty sites.(That's what my cache server logs are for:)) I'd rather spend my time doing more productive things like a recursive grep through the mail logs and forwarding a copy to the offenders parents/wife/etc.... But seriously Radius logs are usually kept for customers who would be the first to complain.... I didn't even USE the account!!! but this opens up a whole new can of worms
You would be surprised how much information is logged by ISP's.
The one ISP I have intimate knowledge about logged everything from date/time, connection speed, disconnection reason to the NUMBER YOU WERE CALLING FROM.
All of this information is kept strictly confidential, but is IMMENSELY useful when serious abuse incidents arise. If some Joe Hax0r is using the ISP as a throw-away dialup with some fake credit card number, and the Feds came knocking on the ISP's door, they wouldn't walk away empty handed: with the calling ID, they know exactly who the offender is.
I suspect most ISP's have logging of this nature.
I mean hell, for metered access, you've GOT to keep track of dialup usage. Additional information like that is trivial to add to a database, and the benefits are significant.
I'm stirring a little, but I get tired of people pouring their bleeding hearts over rights in the internet arena that they lost in other arenas years ago.
Fair enough. Some of us get a little tired of the sheep who decide that a loss of freedom anywhere justifies a loss of freedom everywhere, or who think that the fact that things have gone wrong somehow makes it right that they go wrong. I find it one part funny, two parts sad when I see people scoff at the notion of a "slippery slope"... then make arguments like the above to justify giving up.
Re:Alternative measures
by
Andrew+Cady
·
· Score: 2
Dude, the internet does NOT allow anonymity. In order for you to RECEIVE any information (such as a web page), you need to divulge your address. This is the same principle behind which you must divulge your shipping address if you expect to receive packages. ITRACE doesn't take away any anonymity from average people who don't use IP spoofing. It makes IP spoofing harder. IP spoofing makes the internet worthless: you can't use it to visit web sites, you can't use it to send email, you can't use it to go on FTP sites, you can't use it to telnet, etc. It prevents you from receiving ANY information. It's the electronic equivalent of putting a fake return address on a letter. It prevents two-way communication.
That's why NOBODY but crackers use it, NO operating system supports it natively, and NO protocol works under it. Its only use is cracking.
Furthermore, anonymous proxies -- which are already the only way to be both anonymous and useful on the internet -- are unaffected by ITRACE. NOBODY lost any privacy here, except crackers.
It's unbelievable how many people on slashdot do not understand basic networking principles!
Sounds kinda nice but let me get this right; I'm tracing the origin of the DoS flood. In other words; this will lead me to one of the, in most cases, many servers which are sending me this flood. What good will that do me? Sure, I know which company has a h4x0r3d server and I can tell them that their server flooded me but this won't resolve the issue. C'mon; there are millions of servers out there. If I can trace one and even let them shut it down the script kiddie can have 5 others in no time. Happy tracing!!
No, I've said it before in an earlier post; the only way to solve this IMHO is to let the Hosting providers come together and setup a guideline / rule for all servers being hosted. If they don't meet the security limits its either done for them or bye bye. When these people will stop thinking about money all the time and also give a little bit more consideration to the Net our troubles would reduce enormously.
Instead of contacting the provider of the compromised system and having them shut down the offender, have them TRACK HIM DOWN. With simple network tools they can figure out where the intruder is connecting from and FIND the dickhead instead of just killing the connection, patching up the system and forgetting him.
First of all, the amendment related to guns is the second. Next, that amendment does not give you as an individual the right to own or carry a gun. It gives the states power to arm their militia. By law, this means the national guard. No section of the constitution or the US code allows you to form your own militia and claim the right to carry a gun. This view has been consistantly upheld by the Supreme Court, most directly in US v. Miller, 307 US 174. For a more in-depth analysis, see The Politics of Gun Control, Robert J. Spitzer.
Read Miller again. Miller lost the case because a sawed off shotgun is not a weapon with much military value. There is even some language that infers that 2nd is an individual right.
Also check out US v Emerson which is now before the 5th Circuit. Judge Sam Cummings ruled it an indivual right and it looks like the 5th Curcuit is leaning that way. The whole issue could be before SCOTUS next year.
More than twice as much...
by
Andy+Dodd
·
· Score: 2
If itrace sent one traceback packet for each packet that passed through a router, it would far more than double the effectiveness of the DDoS - For every packet that went from source to destination, a new packet would be generated for EVERY HOP! Of course, this is a moot point, since it's only one out of every 20,000 packets that goes through a router. (Of course, this means that if you have 20 hops, a traceback message will come from somewhere in the route every 1000 packets or so...)
Just the opposite - The DoS packets are spoofed, because they only need to go one way.
As has been pointed out numerous times in this article before, THIS DOES NOT AFFECT TCP STREAMS! If you have a TCP connection, YOUR IP IS ALREADY KNOWN! You cannot combine spoofing with the ability to recieve data. If you want to remain anonymous, use an anonymizer proxy, which itrace will not affect.
I hope the writer of the article is confused. If you put your trace messages in separate packets, you'll only be able to trace the DOS as far as the relector machines. That's useless -- we know who the reflector machines are already. If you put the trace message inside the packet payload packet, you've got a much better chance of tracing the entire path without having to ask the guy at the reflector machine to get involved.
--
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Re:Alternative measures
by
dingbat_hp
·
· Score: 3
You're falling into the trap of the Politician's Syllogism:
Something Must Be Done
This is something
Therefore this must be done.
Aren't you posting from the UK ? Right now the UK has the unedifying spectacle of a government simultaneously imposing draconian anti-privacy measures in the RIP bill, yet also having their own secrets exposed by "Benji the Binman", owing to their own complete lack of understanding on basic infosec (shred your rubbish).
We already have many defences against DDoS attacks. The best one is installing Clues in the admins of bozo ISPs (not forwarding RFC1918 is a damned good start), but more robust inbound routing helps too (stateful packet inspection still isn't commonplace, yet it kills things like SYN flooding). We can fix this. Sure, It sucks today, but let the geeks work it out and we'll get the holes patched.
So what are you suggesting instead ? Modem Licences, to go with the Modem Tax rumours you recall so fondly from the Net 10 years ago. The infrastructure is flaking, there are too many cluephobes jumping on the ISP bandwagon, yet you want to start beating up on the users ! I'm sorry if AOL doesn't meet your standards of intellectual superiority (are you a Mensa member too ?), but their cash is as good as yours or mine, and they've just as much right to be here.
If I walk into my local pub and behave like a jerk I'll be thrown out. Cross the road and the same behaviour is accepted as normal; different pubs, different communities, different standards of behaviour. How is your "global net access" going to support that ? I don't want Kansas fundies telling me that evolution doesn't work, and they probably wouldn't want me offending their local ordinances either.
Don't like Grits with your Slashdot ? Lets make moderation work better. Virtual Communities are still a pretty new concept, and we're going to have to learn how to deal with the odd Mr Bungle or BeerGuy.
Personally I think an age limit of 32 is about right. Keeps off the people who don't remember uucp and real netiquette. How do you like that idea ? 8-)
This is not an attack on anonymity. Go read the actual IETF draft. You will see that the only thing it helps with is tracing back packets with SPOOFED originating IP's.
This will help prevent things similar to the attack on kuro5hin. Unfortunately, if attackers are using compromised machines, all it will (or can) do is help to quickly find the real IP addresses of the machines that have been compromised. You see, someone doing a denial of service attack right now can cause the servers they are using to output IP packets that look like they are from somewhere else. When those packets arrive at the target, 10 hops later, it is nearly impossible to find the real machines that is causing the attack. That's what this proposal solves.
This has nothing to do with eliminating privacy or anonymity. Every time you connect to a web site now, they can find out the IP address you are coming from. Duh! How else can they send the web page back to you??? If you spoof your originating address, you cannot have a two way conversation.
IP source spoofing is ONLY useful for denial of service attacks, and that is the ONLY thing this proposal addresses.
The so called solutions you are advocating, like restricting access to the net would be far, far worse for invading privacy. Think about it... how are you going to make sure that only "authorized people" use the internet? Well, you will have to identify all of them. With examinations, meeting criteria, getting what is equivalent to an "internet license"... well damn, there goes privacy! Just like anyone who sees your license plate on your car can find out who the car owner is. No privacy there either. Did you think about this?
The IETF proposal is not a perfect solution. You are correct that there probably isn't one. However, it is a good one and 100% better than your suggestion.
Torrey Hoffman (Azog)
-- Torrey Hoffman (Azog) "HTML needs a rant tag" - Alan Cox
Re:What stops me from spoofing itrace?
by
Azog
·
· Score: 3
The itrace packets will have an authentication section. Read the ietf draft, it explains some of the possibilities.
At any rate, spoofed itrace packets will be detectable.
Torrey Hoffman (Azog)
-- Torrey Hoffman (Azog) "HTML needs a rant tag" - Alan Cox
At least with names consisting of "i"+$propernoun (like "iMac"), while they violate every convention of capitalization in English, that odd capitalization at least gives some clue as to their pronunciation. Have we really devolved to the point where any word that appears on the internet that has an "i" in front must be pronounced with a long "i" separate from the rest of the word? Didn't someone realize that this coopts the single most used word in the English language in the process and renders it a mere idiot prefix? At least when companies did this with "super", that was a normal adjective.
--
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Funny, I don't recall seeing an amendment guaranteeing you a "right to privacy."
Ninth:
The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.
What you may be unaware of is the fact that there were many people who argued against the Bill of Rights for the very reason you've illustrated: they claimed that it would have the result of effectively restricting what Rights were actually protected because they didn't name them all (After all, in their view, Rights are intrinsic, they can't be granted, they can't be taken away. Everything else is privilege). Amendments 9 and 10 were written to counteract this, but I'm not so sure this was effective. After all, how many cases do you know of that reach the Supreme Court under 9th and 10th amendment claims? They may be there, but they are certainly overlooked by the public.
I'm sick and tired of good intentions being used to defend bad plans.
Uh, sorry. No. The internet as we know it was built on a large number of assumptions, many of which are simply no longer true. The largest of these assumptions is that there was no reason for built-in security, since the only people using the network were academic types -- and it was true that the various institutions could generally trust each other. But as the network became more open to the public at large, the old assumptions begin to break down. This plan is attempt to fix a single problem in an inherently bad design. Get over it.
---
--
--- "Go Metallica. Die RIAA." -- Linus Torvalds
Spoofed packets aren't always bad
by
jonathanclark
·
· Score: 2
Actually spoofed packets are useful in not-so-evil manners. I'm working on an anonymous file transfer protocol that depends on the ability to hide the return address. That is you, can send a file to someone without them knowing where it came from or trace it back to you. There are two levels of anonymity :
1. You send packets directly to the target host using UDP with a spoofed return IP address of 0.0.0.0. This method can work to receive packets from behind a firewall with a SOCKS 5 server. Since this doesn't use ICMP it's not effected by itrace.
2. You send packets inside of an ICMP message to a random host on the net. The ICMP return address contains your target host. This is the most secure method, but you could end up pissing off some unwilling participants. You can reduce this by spreading the packets across a lot of host.
The astute reader will note that both methods use lossy transmission (UDP and ICMP). So a communication channel must be setup where the target can report lost/missing packets. Since this protocol is specific to file transfer, lost packets don't need to be reported individually and so they are clumped together and passed around a chain of computers (ala a gnutella-like network). The sender eventually gets the updates and resends the remaining packets.
Itrace could possibly effect method #2 making it more easy to trace a packet back to the source. But it really cannot isolate the sender to more than a subnet unless it is installed everywhere. There is too much equipment out there now that will never be replace to make this a reality.
This has no privacy implications. All useful IP packets have valid source addresses, so you know where they came from. With an invalid source IP address, you'll never get an answer, and can't open a TCP connection. All this affects is packets with forged IP addresses.
It's a sampling system. The recommended sample is 1 in 20000 packets. Until someone has sent you substantially more forged packets than that, you won't be able to trace them. So it's useful only against massive denial-of-service attacks.
It won't help much in finding systems on LANs. It will identify the LAN's router to the outside world, but unless the LAN's router fully supports Itrace with reverse Ethernet lookup, it won't identify the source machine.
Effectively, this means you'll have a box or router feature that reports the sources of major IP source spoofs. It doesn't provide any means of dealing with the problem. It tells you whose hacked system needs to be fixed, and where their upstream router is so they can be disconnected.
It's not automatic. There's nothing in this that actually stops an attack.
So it's a useful first step, and the one that has to be widely deployed before anything else can be done. Good work by the IETF.
Before going off and critising this, take note of these two points:
1 in 20,000 packets will be affected. So its not as if every packet you sent is affected.
All it does is send the what the router knows of the packet to the destination.
In other words, if you are surfing slashdot, every once and awhile, slashdot will get a itrace packet saying that 1.2.3.4:1234 destined for slashdot.org:80 was routed through me.
However, if you are surfing slashdot, then slashdot ALREADY knows your ip address. This only affects you if you use spoofing to send packets out. And remember, spoofing is (basicaly) connectionless. You can't connect to a website and get a page (or ever request a page) with a spoofed IP address. You can only send out individual packets that have a spoofed from address.
So, how does this affect my privacy? Well, if I do lots of DOS attacks, or spoofed portscans, then occasionaly the site I'm attacking will find out some of the routers I'm going through. If I'm a regular joe blogs, surf porn sites on company time, and generally do things I don't want the public to know about, then some of the places I visit will find out occasionaly which router I go through. However they can get this information really easily via a standard traceroute.
So in the end, it has VERY LITTLE affect on privacy, except of those who are trying to spoof their return address (And spoofing your return address is 90% of the time used only in attacks. (Occasionally it could have a legitimant purpose, but if it did, then you shouldn't care if the other site figures out who you are)).
As far as I can see, its generally a good thing(tm), though they'd better get the authentication right, else it will become useless.
Oh, thats one thing, if the authentication isn't good enough, then you'll be able to fool some sites into thinking you are routing through a different router. However this only brings us back to square one, no futher.
---
--
I use to have a funny sig, but slash cut it off, and I forgot what the punchline was.
1) itrace packets are only sent approx 1/20000 packets through a router, greatly reducing any traffic analysis benifits from monitoring itrace packets
2) the packets go to the destination. So only your destination and points between can read the itrace packets, but they can read your packet anyways, so no biggie.
Ergo, the only time an itrace packet will tell anyone anything more then they would know by looking at the IP header of your TCP packets is in the limited case where the IP address on the packet is forged.
Now why, you might ask, would you want to forge a IP address? Good question. Remember if your IP address is wrong, no return traffic will reach you. The 2 cases I can think of are:
1) doing a TCP hijack attack, and due to the probable low volumes (telnet doesn't generate THAT many packets) in the hijack stream the chances of getting caught by an itrace packet is pretty slim.
2) performing a DOS attack, which is pretty much totally evil.
3) doing a portscan with a decoy. You might get your fingers slapped here. Lifes a beach.
So, as far as playing on gnutella, or posting as AC on slashdot is concerned, you don't loose anything to itrace in terms of atonmymity that you hadn't already lost by having your IP address on a packet.
I hope that clears things up somewhat and avoids a flame or two.
---- Remove the rocks from my head to send email
-- On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
What stops me from spoofing itrace?
by
wowbagger
·
· Score: 3
What keeps a script kiddie from sending spoofed itrace packets implicating every machine on the planet from a comprimised machine?
I'm sick and tired of good intentions being used to defend bad plans. People have gotten away with taking our guns (protected by the Third Amendment) and our freedom of speech to talk about drugs (protected by the First Amendment). We can't let take them our right to privacy too.
The majority of net users do not conduct DDoS attacks. Therefore, there is no need for an anti-DoS ICMP.
If you understood the technology here, you would realize that UNLESS YOU'RE USING IP SPOOFING, ITRACE WILL NOT AFFECT YOU. All that ITRACE does is make IP SPOOFING much more difficult. The majority of net users do not use IP spoofing. And the majority of net users who do use IP spoofing ARE using it to do illegal things.
The ability to know the IP of the person sending you packets is NOT a privacy violation. There are already ways to send information anonymously; what possibly use could IP spoofing have?
First Echelon, then Carnivore, and now yet another attempt to track the actions of average citizens on the Internet.
Wait, I thought they said "perpetrators of DDoS attacks".
Sure, stopping DDoS attacks sounds good in theory, but so does stopping "child molesters" or "foreign spies."
Uh.... Those sound good in practice, too, I think. Do you have any reasons to the contrary?
Like we need more information about ourselves being handed out online.
Like anyone even cares about what you do online. I'm constantly amazed by the number of Slashdot readers that have delusions of government agencies tracking their every move online, reading their every email, and so on. "They" just plain don't care about most of you. Get it? It may be comforting to have these delusions that you are somehow significant, but I'm pretty sure that nobody here is important enough for "them" to care about.
And then there's the everpresent question of just who "they" are.
I'm sick and tired of good intentions being used to defend bad plans.
Well, that's wonderful, but I don't see any good plans coming from you. If you don't like the plan, come up with a better one.
People have gotten away with taking our guns (protected by the Third Amendment)
Second.
We can't let take them our right to privacy too.
Funny, I don't recall seeing an amendment guaranteeing you a "right to privacy."
The majority of net users do not conduct DDoS attacks. Therefore, there is no need for an anti-DoS ICMP.
The majority of citizens do not commit murders. Therefore there is no need for a police homicide unit.
Re:One example where anonymity is really needed
by
Abigail
·
· Score: 2
For these people, any loss of anonymity (such as a "where did these packet originate" solution) means a serious risk to their lives, while their activity is not at all illegal - it's perfectly ordinary scientific research.
To perform any meaningful communication, one has to know where a packet came from, otherwise, one cannot reply. Any valid TCP/IP connection is one where both ends know the address of the other end. I cannot see why your students need to send out untraceble IP packets - there's no service that works that way. As for an anonymous high level protocol, like mail, your implemented solution isn't effected by it. Currently, the receiver of the anonymized mail already has to know the address of your remailer - otherwise you won't be able to build an SMTP connection. But that's where it stops - and that's where itrace would stop as well, as that's the end-to-end connection being made.
-- Abigail
End of one problem, start of another and another..
by
ADRA
·
· Score: 2
I would like to shed another point that could possibly make this itrace ICMP message quite useless, or destructive. Note, I am not an expert on the workings of the ICMP itrace packet. I just know enough of IP and the workings of routing / firewalls / ICMP to see there may be flaws in IETF's planning.
1. Possibility for using itrace messages for malicious attacks
Because the ICMP packet is just another IPv4 packet, there is just as likely a risk that the originator can use this packet type as a way to DOS a system, but flooding the system with itrace packets, like smurf(http://www.cert.org/advisories/CA-98.01.smur f.html), etc..
By opening a new, valid form of ICMP, firewalls that are used to block all non-productive ICMP traffic will have to be changed to block iTrace packets, hence eliminating its use.
2. The ways to stop itrace from working
The itrace packet will be susceptible to the same ill's of source spoofing that any other packet could. If one wishes to stop an itrace packet from finding the source that sent to, the originator could send a slew of itrace packets from varying sources, making any response useless.
3. The effects to routers and IP Stacks
In order to implement itrace effectively, all IP Stacks and Router software in the world may have to be changed to allow the tracing of these new message types. Firewalls shouldn't have a problem letting them through as long as the ICMP 'type' field can be specified in a filter. If itrace is not implemented directly into the stack, some stacks may throw the packet out as being 'mal-formed', which is another form of network attack.
4. Firewalls, NAT's, and the risks that itrace poses
The point of a firewalled system is so that hosts behind the wall will become protected, or even anonymous to the world at large. There are two decisions that network engineers have when the itrace packet is implemented.
They can let the packets enter the firewall, and run free. This can lead to DOS and smurf like attacks inside the network, and could cause a good deal of havoc. Also, letting itrace packets in and out of a firewall could seriously jeopardize the security of the private network, by using the itrace responses to reconstruct the layout of the internal network.
The other choice was to block any itrace packets from entering a firewalled system. This is what admins will likely do for security reasons. When a itrace request to find a host enters the firewall, the best that would happen is that the firewall would bounce a negative response saying that the firewall wouldn't let the ICMP message in. The worst is that the itrace message just gets discarded, in which case, the source of the itrace message has no idea why the trace failed.
5. Changes to IP Stacks and server/router loads
The problems presented had to do with a system that has been accepted and implemented. This problem has to do with the feasibility of such a system.
Just imagine a root router. It is pumping out hundreds of thousands of packets a minute. All of a sudden, a spoofed packet enters the router, and the leaves to its next hop, which is a host that the packet is DOS'ing. The router has to know which 'home' that the spoofed packet came from. That means that the router will have to keep track of every packet that comes and goes from the machine, in order to properly route the itrace packet to its next hop.
Conclusion
So, now I hope you all can see the ill's that the itrace packet type will lead to in the scheme of things. My best suggestion would be to wait until IPv6, when all routers, firewalls, and IP Stacks will be rewritten. At that time, architects could find reasonable ways around such a problem.
-- Bye!
Re:egress filtering - Totally right
by
Ice+Tiger
·
· Score: 3
This would stop address spoofing right now, all ISP's should implement this. So what are the chances of getting ISP's to roll out itrace if they don't even bother to try and fix the problem in the first place.
I know I won't be popular here on/. but maybe a few lawsuits against ISP's not implementing egress filtering might change the current situation. Maybe implicating them due to negligence or some such.
-- "Because we are not employing at entry level, offshoring will kill our industry stone dead."
Your post is such nonsense that I hardly know where to begin.
So what is to be done? Maybe it's time to restrict who has access to the net. Since services like AOL and CompuServe made it easy for Joe Sixpack and his family to get online we've seen an exponential growth in website defacings, DDoS's and general abusive behaviour. If people were not allowed to access the net unless they fit certain criteria we could reclaim it from the scipt-kiddies.
<sarcasm>So what is to be done? Maybe it's time to restrict who has access to the roads. Since companies like Ford made it easy for Joe Sixpack and his family to get online we've seen an exponential growth in stoplight-running, wrecks and general abusive behaviour. If people were not allowed to access the roads unless they fit certain criteria we could reclaim it from the infidels.</sarcasm>
You're confusing causation and correlation. It's also happened since (a) script kiddie tools became widely available, (b) users with significant home bandwidth have become common, (c) non-web media have given attention to, and to an extent glorified, 31337 behavior, and (d) 17" monitors became popular. You further make the insiduous claim that average AOL users are script kiddies; this is a cheap, elitist attack that doesn't in the least help your argument: AOL users aren't anonymous.
What criteria would be appropriate is the next question. Well firstly we need some kind of age limit - 16 or 18 would seem appropriate since there is a lot of offenisve material out there that we don't want our kids seeing. It would also restrict the net to people mature enough to take responsiblity for their own actions, which can only be a good thing.
<sarcasm>Right! What we also need to do is restrict libraries to adults 18 years of age or older. We don't want our kids to read about bomb-making until they reach the age of 18 and are magically wise. There's so much offensive material in the library, after all.</sarcasm>
Secondly there should be some kind of examination process to weed out those people who aren't desirable. This should allow us to ensure that people know to be polite and would also allow us to teach people things like "don't open every attachment you receive in the mail" which would make everybody's life better.
<sarcasm>Another great idea! Let's create some powerful organization to kick impolite people (by their judgment) off thenet. Also this organization, which everyone would gladly accept, would be empowered to remove inferior users. All the nations of the world would unite behind a plan to make the Internet available only to the master race.</sarcasm>
Seriously, why are you so intent on kicking off users? It's childish and vindictive behavior. It's neither practical, nor IMHO desirable in a free society.
--
--
Gates' Law: Every 18 months, the speed of software halves.
This itrace crap will be used for legitimate traceroute type stuff and I imagine for network mapping also. Anyone have any ideas on how this can be used in a sysadmin's network toolkit (besides finding DoS attacks)?
Isn't that what driving licenses are for? I'm suggesting a similar thing for the net. You wouldn't let your 5 year old son drive a car, why let him online? Both are dangerous in their own ways.
Perhaps a better analogy would be a library or a sidewalk. I wouldn't let a 5 year old son read any book or cross the street alone, but it's not all or nothing.
What have AOLers ever added to the net? Even if they're not all hackers and script-kiddies, they're certainly a drain on bandwidth. Remember how the net was ten years ago?
Yeah, I remember. It was small, and hard to find information unless it related to Unix or particle physics. AOL users have added a tremendous amount of content. While it's possible that the content contributed by the average AOL user is not as high as the average non-AOL user, the net ten years ago isn't something I'd prefer to return to.
If you were in a restaurant and someone starting kicking tables over, they'd get thrown out. Same principle. Besides, prevention is always better than a cure, and it is prevention that I'm in favour of.
Script kiddies do get kicked off. However, the Internet is not a restaurant. A restaurant has a single owner or manager on location at all times. The net is more like a public square. If someone's committing a crime, they'll be removed, but if someone isn't contributing anything to the public discussion, no one advocates that they be forced out. (Nor must you be 18 to be seated at a restaurant, or participate in the public square.)
--
--
Gates' Law: Every 18 months, the speed of software halves.
Correct me if I'm wrong, but from the article, we're looking at a best case of two years before we see this. They say that they're only presenting in January 2001, and:
In the best-case scenario, the itrace rollout will take 18 months.
In that time, shouldn't we be approaching IPV6 time anyway, and doesn't IPV6 already have mechanism in place to prevent spoofing of address headers, making the trace a lot easier using traceroute? Maybe I'm being thick, but this looks redundant before it even gets going.
As far as I can see, its generally a good thing(tm), though they'd better get the authentication right, else it will become useless.
Some kind of authentication can be achieved using packets that are transmitted with a TTL of 255. If you get a packet with a TTL of 254 there is no way it could have been sent from a host further than one hop. Lots of routers need to be upgraded for itrace, but ALL routers decrease the Time-To-Live field. I wonder how this could be effectively extended to longer distances.
----
--
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
What's the difference between this and a digital telephone exchange that knows where you're calling from. When people got bogus or malicious calls, companies created a system whereby those calls could be traced within seconds. That's a good thing. Your right to privacy over the telephone is gone already, and nobody's crying about that. What's the difference between that and this particular point-to-point connection system? Surely it's the privacy of the content that matters, and not your ability to send stuff to people without their knowing who it is that sent it?
Ok - so you want to browse anonymously.. Well firstly, why? I don't see the point. Secondly, nothing's stopping you - do the same as you would if you wanted to make an anonymous telephone call - use a phone box, or a public internet access point.
I'm stirring a little, but I get tired of people pouring their bleeding hearts over rights in the internet arena that they lost in other arenas years ago. They're not complaining about the postmark on their snail mail, or the telco's ability to see their phone numbers, or the CCTV in every store they "browse" in, or the bank recording every time they use their credit or debit cards, along with the name of the shop, time, place and everything else. You don't want to be on the store's CCTV tapes, don't go in.
Another attack on anonymity from the very people responsible for the architecture of the net. Is this what the net is coming to? Unfortunately, I think it is - just look at the recent attack on kuro5hin for an example of the childish, vindictive behaviour some people seem to delight in.
Anonymity is a desirable feature online, but it is one that is ripe for abuse. Whilst it allows people to use the net without fear of some "Big Brother" organisation storing their every click it also allows 15 year-old kids to DDoS websites with impunity. Getting rid of anonymity is one solution, but it's one that will do more harm than good.
So what is to be done? Maybe it's time to restrict who has access to the net. Since services like AOL and CompuServe made it easy for Joe Sixpack and his family to get online we've seen an exponential growth in website defacings, DDoS's and general abusive behaviour. If people were not allowed to access the net unless they fit certain criteria we could reclaim it from the scipt-kiddies.
What criteria would be appropriate is the next question. Well firstly we need some kind of age limit - 16 or 18 would seem appropriate since there is a lot of offenisve material out there that we don't want our kids seeing. It would also restrict the net to people mature enough to take responsiblity for their own actions, which can only be a good thing.
Secondly there should be some kind of examination process to weed out those people who aren't desirable. This should allow us to ensure that people know to be polite and would also allow us to teach people things like "don't open every attachment you receive in the mail" which would make everybody's life better.
This isn't a perfect solution, but I doubt there is one. Still, we need to do something and this could be it.
Slashdot Mirror
I remember being very impressed as I read his paper. His key realization is that not every packet needs to be traced. With a large number of packets, only a tiny fraction need tracing information. Yet, the target of attacks (who is receiving 10^6 packets a day) can build an accurate picture. Brilliant.
"Genius may have its limitations, but stupidity is not thus handicapped." --Elbert Hubbard (1856-1915)
For all the peoplw who whine about 'privacy'.
There was never any guarantee on the internet htat people couldn't trace where packets were coming from. The fact that IPv4 allows forged source addresses... well.. there was simply no need to check them.
Why would people have a problem with this? It means if you send spoofed packets, the routers along the way can *still* figure out where the hell it came from (instead of having an admin at each hop do the trace manually).
We were going to write an RFC and become famous.
Then we found that it was already covered in an RFC, already in the IP protocol as the "Loose Source and Record Route."
Force router companies and ISPs to use that particular header option, and the whole accountability problem is solved while preserving anonymity.ISPs can solve the spoofing problem RIGHT NOW with tools available today: egress filtering. The ISPs I run have egress filtering on ALL routers (border and internal) so not a single internal host can send a packet unless the source address is at least within the same subnet. Makes more sense to me than inventing another ICMP standard which requires all router manufacturers to update their software, and all ISPs to upgrade to the newer software.
Most decent dialup hardware is 100% digital anyway, so you have equipment sitting on ISDN lines capable of answering ISDN calls but serving up analog connectivity as well, so ALL calling numbers are available and can be logged or used in the fashion you mention. This level of logging is a common practice among most responsible ISP's.
Hey, you're welcome. I sorta got tired of having a 60+ Karma rating.. I've managed to drop it down to like 30 or so within the course of just a few days just for fun. :)
Bowie J. Poag
Bowie J. Poag
It does raise the bar, so the next steps in the cat&mouse game include ever-more-diffuse distributed attacks to avoid more ever-more-watchful intrusion detection and traceback mechanisms. Is that a bad thing? No -- it is a good thing to make successull attacks more challenging.
A little more background reading:
Stefan Savage, Practical Network Support for IP Traceback a technique for tracing, but requires a little packet marking/mangling which makes it unlikely to be adopted. Clever, though, I'm sure some of the ideas will fold into itrace.
Robert Stone, CenterTrack: An IP Overlay Network for Tracking DoS Floods A tool for ISPs to build monitoring networks without making every component cooperate. Hmmm... I wonder if Carnivore has remote tunnels built in?
Other efforts in traceback involve perturbing the source of floods (e.g. by hop-by-hop reverse flooding) and watching the statistical properties of the flood at each step.
I'm not talking about logs (and even so, the percentage of hax0rd boxes that are truly without logs or other evidence of intrusion are probably smaller than you think).
I'm talking about real-time monitoring of network traffic and system usage. If someone's able to track the source of the attack back to a hax0rd system, all the competant admin has to do is fire up a packet sniffer, protected netstat-type utility, whatever, and figure out where YOU are connecting to this compromised machine. Since this connection is unlikely to be spoofed, the source address is guaranteed, and he can proceed to contact *that* ISP. Repeat if necessary.
This seems to be an application of the technology described in that one paper on storing trace information in packets in a backwards-compatible way, that slashdot had a while back. I now can't find the article. Some guy described the whole process of how one could squeeze the information into unused parts of packets.
It's 10 PM. Do you know if you're un-American?
So now every single packet I send can be traced back to me. If I posted this as an AC, it would be possible for law enforcement to floow the leads back from slashdot all the way to my PC.
Thats scary in itself, but since these DOSers hack into machines that might be on the route, with trce software installed, THEY can also find out who I am. They could even fake those logs to make it look like I was responsible for something I didn't do.
The Mongrel Dogs Who Teach
That's why NOBODY but crackers use it, NO operating system supports it natively, and NO protocol works under it. Its only use is cracking.
Furthermore, anonymous proxies -- which are already the only way to be both anonymous and useful on the internet -- are unaffected by ITRACE. NOBODY lost any privacy here, except crackers.
It's unbelievable how many people on slashdot do not understand basic networking principles!
No, I've said it before in an earlier post; the only way to solve this IMHO is to let the Hosting providers come together and setup a guideline / rule for all servers being hosted. If they don't meet the security limits its either done for them or bye bye. When these people will stop thinking about money all the time and also give a little bit more consideration to the Net our troubles would reduce enormously.
First of all, the amendment related to guns is the second. Next, that amendment does not give you as an individual the right to own or carry a gun. It gives the states power to arm their militia. By law, this means the national guard. No section of the constitution or the US code allows you to form your own militia and claim the right to carry a gun. This view has been consistantly upheld by the Supreme Court, most directly in US v. Miller, 307 US 174. For a more in-depth analysis, see The Politics of Gun Control, Robert J. Spitzer.
Read Miller again. Miller lost the case because a sawed off shotgun is not a weapon with much military value. There is even some language that infers that 2nd is an individual right.
Also check out US v Emerson which is now before the 5th Circuit. Judge Sam Cummings ruled it an indivual right and it looks like the 5th Curcuit is leaning that way. The whole issue could be before SCOTUS next year.
If itrace sent one traceback packet for each packet that passed through a router, it would far more than double the effectiveness of the DDoS - For every packet that went from source to destination, a new packet would be generated for EVERY HOP! Of course, this is a moot point, since it's only one out of every 20,000 packets that goes through a router. (Of course, this means that if you have 20 hops, a traceback message will come from somewhere in the route every 1000 packets or so...)
retrorocket.o not found, launch anyway?
Just the opposite - The DoS packets are spoofed, because they only need to go one way.
As has been pointed out numerous times in this article before, THIS DOES NOT AFFECT TCP STREAMS! If you have a TCP connection, YOUR IP IS ALREADY KNOWN! You cannot combine spoofing with the ability to recieve data. If you want to remain anonymous, use an anonymizer proxy, which itrace will not affect.
retrorocket.o not found, launch anyway?
I hope the writer of the article is confused. If you put your trace messages in separate packets, you'll only be able to trace the DOS as far as the relector machines. That's useless -- we know who the reflector machines are already. If you put the trace message inside the packet payload packet, you've got a much better chance of tracing the entire path without having to ask the guy at the reflector machine to get involved.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
You're falling into the trap of the Politician's Syllogism:
Aren't you posting from the UK ? Right now the UK has the unedifying spectacle of a government simultaneously imposing draconian anti-privacy measures in the RIP bill, yet also having their own secrets exposed by "Benji the Binman", owing to their own complete lack of understanding on basic infosec (shred your rubbish).
We already have many defences against DDoS attacks. The best one is installing Clues in the admins of bozo ISPs (not forwarding RFC1918 is a damned good start), but more robust inbound routing helps too (stateful packet inspection still isn't commonplace, yet it kills things like SYN flooding). We can fix this. Sure, It sucks today, but let the geeks work it out and we'll get the holes patched.
So what are you suggesting instead ? Modem Licences, to go with the Modem Tax rumours you recall so fondly from the Net 10 years ago. The infrastructure is flaking, there are too many cluephobes jumping on the ISP bandwagon, yet you want to start beating up on the users ! I'm sorry if AOL doesn't meet your standards of intellectual superiority (are you a Mensa member too ?), but their cash is as good as yours or mine, and they've just as much right to be here.
If I walk into my local pub and behave like a jerk I'll be thrown out. Cross the road and the same behaviour is accepted as normal; different pubs, different communities, different standards of behaviour. How is your "global net access" going to support that ? I don't want Kansas fundies telling me that evolution doesn't work, and they probably wouldn't want me offending their local ordinances either.
Don't like Grits with your Slashdot ? Lets make moderation work better. Virtual Communities are still a pretty new concept, and we're going to have to learn how to deal with the odd Mr Bungle or BeerGuy.
Personally I think an age limit of 32 is about right. Keeps off the people who don't remember uucp and real netiquette. How do you like that idea ? 8-)
This is not an attack on anonymity. Go read the actual IETF draft. You will see that the only thing it helps with is tracing back packets with SPOOFED originating IP's.
This will help prevent things similar to the attack on kuro5hin. Unfortunately, if attackers are using compromised machines, all it will (or can) do is help to quickly find the real IP addresses of the machines that have been compromised. You see, someone doing a denial of service attack right now can cause the servers they are using to output IP packets that look like they are from somewhere else. When those packets arrive at the target, 10 hops later, it is nearly impossible to find the real machines that is causing the attack. That's what this proposal solves.
This has nothing to do with eliminating privacy or anonymity. Every time you connect to a web site now, they can find out the IP address you are coming from. Duh! How else can they send the web page back to you??? If you spoof your originating address, you cannot have a two way conversation.
IP source spoofing is ONLY useful for denial of service attacks, and that is the ONLY thing this proposal addresses.
The so called solutions you are advocating, like restricting access to the net would be far, far worse for invading privacy. Think about it... how are you going to make sure that only "authorized people" use the internet? Well, you will have to identify all of them. With examinations, meeting criteria, getting what is equivalent to an "internet license"... well damn, there goes privacy! Just like anyone who sees your license plate on your car can find out who the car owner is. No privacy there either. Did you think about this?
The IETF proposal is not a perfect solution. You are correct that there probably isn't one. However, it is a good one and 100% better than your suggestion.
Torrey Hoffman (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
The itrace packets will have an authentication section. Read the ietf draft, it explains some of the possibilities.
At any rate, spoofed itrace packets will be detectable.
Torrey Hoffman (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
At least with names consisting of "i"+$propernoun (like "iMac"), while they violate every convention of capitalization in English, that odd capitalization at least gives some clue as to their pronunciation. Have we really devolved to the point where any word that appears on the internet that has an "i" in front must be pronounced with a long "i" separate from the rest of the word? Didn't someone realize that this coopts the single most used word in the English language in the process and renders it a mere idiot prefix? At least when companies did this with "super", that was a normal adjective.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
We can't let take them our right to privacy too.
Funny, I don't recall seeing an amendment guaranteeing you a "right to privacy."
Ninth:
What you may be unaware of is the fact that there were many people who argued against the Bill of Rights for the very reason you've illustrated: they claimed that it would have the result of effectively restricting what Rights were actually protected because they didn't name them all (After all, in their view, Rights are intrinsic, they can't be granted, they can't be taken away. Everything else is privilege). Amendments 9 and 10 were written to counteract this, but I'm not so sure this was effective. After all, how many cases do you know of that reach the Supreme Court under 9th and 10th amendment claims? They may be there, but they are certainly overlooked by the public.
ufdraco
I'm sick and tired of good intentions being used to defend bad plans.
Uh, sorry. No. The internet as we know it was built on a large number of assumptions, many of which are simply no longer true. The largest of these assumptions is that there was no reason for built-in security, since the only people using the network were academic types -- and it was true that the various institutions could generally trust each other. But as the network became more open to the public at large, the old assumptions begin to break down. This plan is attempt to fix a single problem in an inherently bad design. Get over it.
---
---
"Go Metallica. Die RIAA." -- Linus Torvalds
Actually spoofed packets are useful in not-so-evil manners. I'm working on an anonymous file transfer protocol that depends on the ability to hide the return address. That is you, can send a file to someone without them knowing where it came from or trace it back to you. There are two levels of anonymity :
1. You send packets directly to the target host using UDP with a spoofed return IP address of 0.0.0.0. This method can work to receive packets from behind a firewall with a SOCKS 5 server. Since this doesn't use ICMP it's not effected by itrace.
2. You send packets inside of an ICMP message to a random host on the net. The ICMP return address contains your target host. This is the most secure method, but you could end up pissing off some unwilling participants. You can reduce this by spreading the packets across a lot of host.
The astute reader will note that both methods use lossy transmission (UDP and ICMP). So a communication channel must be setup where the target can report lost/missing packets. Since this protocol is specific to file transfer, lost packets don't need to be reported individually and so they are clumped together and passed around a chain of computers (ala a gnutella-like network). The sender eventually gets the updates and resends the remaining packets.
Itrace could possibly effect method #2 making it more easy to trace a packet back to the source. But it really cannot isolate the sender to more than a subnet unless it is installed everywhere. There is too much equipment out there now that will never be replace to make this a reality.
-- Virtual Windows Project
So it's a useful first step, and the one that has to be widely deployed before anything else can be done. Good work by the IETF.
Before going off and critising this, take note of these two points:
1 in 20,000 packets will be affected. So its not as if every packet you sent is affected.
All it does is send the what the router knows of the packet to the destination.
In other words, if you are surfing slashdot, every once and awhile, slashdot will get a itrace packet saying that 1.2.3.4:1234 destined for slashdot.org:80 was routed through me.
However, if you are surfing slashdot, then slashdot ALREADY knows your ip address. This only affects you if you use spoofing to send packets out. And remember, spoofing is (basicaly) connectionless. You can't connect to a website and get a page (or ever request a page) with a spoofed IP address. You can only send out individual packets that have a spoofed from address.
So, how does this affect my privacy? Well, if I do lots of DOS attacks, or spoofed portscans, then occasionaly the site I'm attacking will find out some of the routers I'm going through. If I'm a regular joe blogs, surf porn sites on company time, and generally do things I don't want the public to know about, then some of the places I visit will find out occasionaly which router I go through. However they can get this information really easily via a standard traceroute.
So in the end, it has VERY LITTLE affect on privacy, except of those who are trying to spoof their return address (And spoofing your return address is 90% of the time used only in attacks. (Occasionally it could have a legitimant purpose, but if it did, then you shouldn't care if the other site figures out who you are)).
As far as I can see, its generally a good thing(tm), though they'd better get the authentication right, else it will become useless.
Oh, thats one thing, if the authentication isn't good enough, then you'll be able to fool some sites into thinking you are routing through a different router. However this only brings us back to square one, no futher.
---
I use to have a funny sig, but slash cut it off, and I forgot what the punchline was.
OK, before everyone gets up on their horses....
Firstly I support internet privacy totally.
Secondly this inititive does not erode that.
Read the article, and you find a few things...
1) itrace packets are only sent approx 1/20000 packets through a router, greatly reducing any traffic analysis benifits from monitoring itrace packets
2) the packets go to the destination. So only your destination and points between can read the itrace packets, but they can read your packet anyways, so no biggie.
Ergo, the only time an itrace packet will tell anyone anything more then they would know by looking at the IP header of your TCP packets is in the limited case where the IP address on the packet is forged.
Now why, you might ask, would you want to forge a IP address? Good question. Remember if your IP address is wrong, no return traffic will reach you. The 2 cases I can think of are:
1) doing a TCP hijack attack, and due to the probable low volumes (telnet doesn't generate THAT many packets) in the hijack stream the chances of getting caught by an itrace packet is pretty slim.
2) performing a DOS attack, which is pretty much totally evil.
3) doing a portscan with a decoy. You might get your fingers slapped here. Lifes a beach.
So, as far as playing on gnutella, or posting as AC on slashdot is concerned, you don't loose anything to itrace in terms of atonmymity that you hadn't already lost by having your IP address on a packet.
I hope that clears things up somewhat and avoids a flame or two.
----
Remove the rocks from my head to send email
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
What keeps a script kiddie from sending spoofed itrace packets implicating every machine on the planet from a comprimised machine?
www.eFax.com are spammers
The ability to know the IP of the person sending you packets is NOT a privacy violation. There are already ways to send information anonymously; what possibly use could IP spoofing have?
First Echelon, then Carnivore, and now yet another attempt to track the actions of average citizens on the Internet.
Wait, I thought they said "perpetrators of DDoS attacks".
Sure, stopping DDoS attacks sounds good in theory, but so does stopping "child molesters" or "foreign spies."
Uh.... Those sound good in practice, too, I think. Do you have any reasons to the contrary?
Like we need more information about ourselves being handed out online.
Like anyone even cares about what you do online. I'm constantly amazed by the number of Slashdot readers that have delusions of government agencies tracking their every move online, reading their every email, and so on. "They" just plain don't care about most of you. Get it? It may be comforting to have these delusions that you are somehow significant, but I'm pretty sure that nobody here is important enough for "them" to care about.
And then there's the everpresent question of just who "they" are.
I'm sick and tired of good intentions being used to defend bad plans.
Well, that's wonderful, but I don't see any good plans coming from you. If you don't like the plan, come up with a better one.
People have gotten away with taking our guns (protected by the Third Amendment)
Second.
We can't let take them our right to privacy too.
Funny, I don't recall seeing an amendment guaranteeing you a "right to privacy."
The majority of net users do not conduct DDoS attacks. Therefore, there is no need for an anti-DoS ICMP.
The majority of citizens do not commit murders. Therefore there is no need for a police homicide unit.
To perform any meaningful communication, one has to know where a packet came from, otherwise, one cannot reply. Any valid TCP/IP connection is one where both ends know the address of the other end. I cannot see why your students need to send out untraceble IP packets - there's no service that works that way. As for an anonymous high level protocol, like mail, your implemented solution isn't effected by it. Currently, the receiver of the anonymized mail already has to know the address of your remailer - otherwise you won't be able to build an SMTP connection. But that's where it stops - and that's where itrace would stop as well, as that's the end-to-end connection being made.
-- Abigail
I would like to shed another point that could possibly make this itrace ICMP message quite useless, or destructive. Note, I am not an expert on the workings of the ICMP itrace packet. I just know enough of IP and the workings of routing / firewalls / ICMP to see there may be flaws in IETF's planning.
r f.html), etc..
1. Possibility for using itrace messages for malicious attacks
Because the ICMP packet is just another IPv4 packet, there is just as likely a risk that the originator can use this packet type as a way to DOS a system, but flooding the system with itrace packets, like smurf(http://www.cert.org/advisories/CA-98.01.smu
By opening a new, valid form of ICMP, firewalls that are used to block all non-productive ICMP traffic will have to be changed to block iTrace packets, hence eliminating its use.
2. The ways to stop itrace from working
The itrace packet will be susceptible to the same ill's of source spoofing that any other packet could. If one wishes to stop an itrace packet from finding the source that sent to, the originator could send a slew of itrace packets from varying sources, making any response useless.
3. The effects to routers and IP Stacks
In order to implement itrace effectively, all IP Stacks and Router software in the world may have to be changed to allow the tracing of these new message types. Firewalls shouldn't have a problem letting them through as long as the ICMP 'type' field can be specified in a filter. If itrace is not implemented directly into the stack, some stacks may throw the packet out as being 'mal-formed', which is another form of network attack.
4. Firewalls, NAT's, and the risks that itrace poses
The point of a firewalled system is so that hosts behind the wall will become protected, or even anonymous to the world at large. There are two decisions that network engineers have when the itrace packet is implemented.
They can let the packets enter the firewall, and run free. This can lead to DOS and smurf like attacks inside the network, and could cause a good deal of havoc. Also, letting itrace packets in and out of a firewall could seriously jeopardize the security of the private network, by using the itrace responses to reconstruct the layout of the internal network.
The other choice was to block any itrace packets from entering a firewalled system. This is what admins will likely do for security reasons. When a itrace request to find a host enters the firewall, the best that would happen is that the firewall would bounce a negative response saying that the firewall wouldn't let the ICMP message in. The worst is that the itrace message just gets discarded, in which case, the source of the itrace message has no idea why the trace failed.
5. Changes to IP Stacks and server/router loads
The problems presented had to do with a system that has been accepted and implemented. This problem has to do with the feasibility of such a system.
Just imagine a root router. It is pumping out hundreds of thousands of packets a minute. All of a sudden, a spoofed packet enters the router, and the leaves to its next hop, which is a host that the packet is DOS'ing. The router has to know which 'home' that the spoofed packet came from. That means that the router will have to keep track of every packet that comes and goes from the machine, in order to properly route the itrace packet to its next hop.
Conclusion
So, now I hope you all can see the ill's that the itrace packet type will lead to in the scheme of things. My best suggestion would be to wait until IPv6, when all routers, firewalls, and IP Stacks will be rewritten. At that time, architects could find reasonable ways around such a problem.
Bye!
This would stop address spoofing right now, all ISP's should implement this. So what are the chances of getting ISP's to roll out itrace if they don't even bother to try and fix the problem in the first place.
/. but maybe a few lawsuits against ISP's not implementing egress filtering might change the current situation. Maybe implicating them due to negligence or some such.
I know I won't be popular here on
"Because we are not employing at entry level, offshoring will kill our industry stone dead."
You're confusing causation and correlation. It's also happened since (a) script kiddie tools became widely available, (b) users with significant home bandwidth have become common, (c) non-web media have given attention to, and to an extent glorified, 31337 behavior, and (d) 17" monitors became popular. You further make the insiduous claim that average AOL users are script kiddies; this is a cheap, elitist attack that doesn't in the least help your argument: AOL users aren't anonymous.
<sarcasm>Right! What we also need to do is restrict libraries to adults 18 years of age or older. We don't want our kids to read about bomb-making until they reach the age of 18 and are magically wise. There's so much offensive material in the library, after all.</sarcasm> <sarcasm>Another great idea! Let's create some powerful organization to kick impolite people (by their judgment) off thenet. Also this organization, which everyone would gladly accept, would be empowered to remove inferior users. All the nations of the world would unite behind a plan to make the Internet available only to the master race.</sarcasm>Seriously, why are you so intent on kicking off users? It's childish and vindictive behavior. It's neither practical, nor IMHO desirable in a free society.
--
Gates' Law: Every 18 months, the speed of software halves.
This itrace crap will be used for legitimate traceroute type stuff and I imagine for network mapping also. Anyone have any ideas on how this can be used in a sysadmin's network toolkit (besides finding DoS attacks)?
--
Gates' Law: Every 18 months, the speed of software halves.
Correct me if I'm wrong, but from the article, we're looking at a best case of two years before we see this. They say that they're only presenting in January 2001, and :
In the best-case scenario, the itrace rollout will take 18 months.
In that time, shouldn't we be approaching IPV6 time anyway, and doesn't IPV6 already have mechanism in place to prevent spoofing of address headers, making the trace a lot easier using traceroute? Maybe I'm being thick, but this looks redundant before it even gets going.
/* Wayne Pascoe
I can really say that I am an expert on these things, so is the a privacy issue here??
--
Jimadilo
Jimadilo
'... I was here, you just didn't see me.'
As far as I can see, its generally a good thing(tm), though they'd better get the authentication right, else it will become useless.
Some kind of authentication can be achieved using packets that are transmitted with a TTL of 255. If you get a packet with a TTL of 254 there is no way it could have been sent from a host further than one hop. Lots of routers need to be upgraded for itrace, but ALL routers decrease the Time-To-Live field. I wonder how this could be effectively extended to longer distances.
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Ok - so you want to browse anonymously.. Well firstly, why? I don't see the point. Secondly, nothing's stopping you - do the same as you would if you wanted to make an anonymous telephone call - use a phone box, or a public internet access point.
I'm stirring a little, but I get tired of people pouring their bleeding hearts over rights in the internet arena that they lost in other arenas years ago. They're not complaining about the postmark on their snail mail, or the telco's ability to see their phone numbers, or the CCTV in every store they "browse" in, or the bank recording every time they use their credit or debit cards, along with the name of the shop, time, place and everything else. You don't want to be on the store's CCTV tapes, don't go in.
Salocin.com
Another attack on anonymity from the very people responsible for the architecture of the net. Is this what the net is coming to? Unfortunately, I think it is - just look at the recent attack on kuro5hin for an example of the childish, vindictive behaviour some people seem to delight in.
Anonymity is a desirable feature online, but it is one that is ripe for abuse. Whilst it allows people to use the net without fear of some "Big Brother" organisation storing their every click it also allows 15 year-old kids to DDoS websites with impunity. Getting rid of anonymity is one solution, but it's one that will do more harm than good.
So what is to be done? Maybe it's time to restrict who has access to the net. Since services like AOL and CompuServe made it easy for Joe Sixpack and his family to get online we've seen an exponential growth in website defacings, DDoS's and general abusive behaviour. If people were not allowed to access the net unless they fit certain criteria we could reclaim it from the scipt-kiddies.
What criteria would be appropriate is the next question. Well firstly we need some kind of age limit - 16 or 18 would seem appropriate since there is a lot of offenisve material out there that we don't want our kids seeing. It would also restrict the net to people mature enough to take responsiblity for their own actions, which can only be a good thing.
Secondly there should be some kind of examination process to weed out those people who aren't desirable. This should allow us to ensure that people know to be polite and would also allow us to teach people things like "don't open every attachment you receive in the mail" which would make everybody's life better.
This isn't a perfect solution, but I doubt there is one. Still, we need to do something and this could be it.
---
Jon E. Erikson
Jon Erikson, IT guru