Posted by
ryuzaki0
on from the this-is-gonna-get-interesting dept.
ebresie writes "Here's an interesting article about a new technology that is being developed by the IETF. It's being called itrace. This is basically an ICMP Traceback Messages." There's a lot in this to think about.
It's already in the specifications
by
AshPattern
·
· Score: 3
A friend and I were trying to figure out how to trace the DoS attacks ourselves, so I came up with an idea - why not use some of the unused space in an IP header to store the ip address of the edge router? With that system, the evil Cruft couldn't send a single packet without having a real ip attached to a geographic location.
We were going to write an RFC and become famous.
Then we found that it was already covered in an RFC, already in the IP protocol as the "Loose Source and Record Route."
Force router companies and ISPs to use that particular header option, and the whole accountability problem is solved while preserving anonymity.
ISPs can solve the spoofing problem RIGHT NOW with tools available today: egress filtering. The ISPs I run have egress filtering on ALL routers (border and internal) so not a single internal host can send a packet unless the source address is at least within the same subnet. Makes more sense to me than inventing another ICMP standard which requires all router manufacturers to update their software, and all ISPs to upgrade to the newer software.
Sounds kinda nice but let me get this right; I'm tracing the origin of the DoS flood. In other words; this will lead me to one of the, in most cases, many servers which are sending me this flood. What good will that do me? Sure, I know which company has a h4x0r3d server and I can tell them that their server flooded me but this won't resolve the issue. C'mon; there are millions of servers out there. If I can trace one and even let them shut it down the script kiddie can have 5 others in no time. Happy tracing!!
No, I've said it before in an earlier post; the only way to solve this IMHO is to let the Hosting providers come together and setup a guideline / rule for all servers being hosted. If they don't meet the security limits its either done for them or bye bye. When these people will stop thinking about money all the time and also give a little bit more consideration to the Net our troubles would reduce enormously.
Re:Alternative measures
by
dingbat_hp
·
· Score: 3
You're falling into the trap of the Politician's Syllogism:
Something Must Be Done
This is something
Therefore this must be done.
Aren't you posting from the UK ? Right now the UK has the unedifying spectacle of a government simultaneously imposing draconian anti-privacy measures in the RIP bill, yet also having their own secrets exposed by "Benji the Binman", owing to their own complete lack of understanding on basic infosec (shred your rubbish).
We already have many defences against DDoS attacks. The best one is installing Clues in the admins of bozo ISPs (not forwarding RFC1918 is a damned good start), but more robust inbound routing helps too (stateful packet inspection still isn't commonplace, yet it kills things like SYN flooding). We can fix this. Sure, It sucks today, but let the geeks work it out and we'll get the holes patched.
So what are you suggesting instead ? Modem Licences, to go with the Modem Tax rumours you recall so fondly from the Net 10 years ago. The infrastructure is flaking, there are too many cluephobes jumping on the ISP bandwagon, yet you want to start beating up on the users ! I'm sorry if AOL doesn't meet your standards of intellectual superiority (are you a Mensa member too ?), but their cash is as good as yours or mine, and they've just as much right to be here.
If I walk into my local pub and behave like a jerk I'll be thrown out. Cross the road and the same behaviour is accepted as normal; different pubs, different communities, different standards of behaviour. How is your "global net access" going to support that ? I don't want Kansas fundies telling me that evolution doesn't work, and they probably wouldn't want me offending their local ordinances either.
Don't like Grits with your Slashdot ? Lets make moderation work better. Virtual Communities are still a pretty new concept, and we're going to have to learn how to deal with the odd Mr Bungle or BeerGuy.
Personally I think an age limit of 32 is about right. Keeps off the people who don't remember uucp and real netiquette. How do you like that idea ? 8-)
This attitude always makes me smile a little. People assume that the Internet is currently anonymous and that technologies like itrace will somehow throw that anonymity away. The truth of the matter is, is that currently if you use the Internet in a normal fashion whereby you are receiving data, you are traceable. If you want anonymity then I suggest you use an anonymizer - it's what they're there for.
Also, if you had read the article fully you would have realised that not every packet you send will be traceable - only one packet in 20,000 will cause a traceback message. This means that normal activity is unlikely to cause many traceback messages, whereas a full-on DoS will get spotted easily and be traceable. This is important because if every packet caused tracebacks, then a DoS would be twice as effective (think about it).
And lastly, we come to the fact hackers might be able to spoof tracebacks to make it look like it came from you. Again, if you'd read the article you'll realise one of the technical challenges in implementing itrace is the PKI platform that will have to be built for authentication purposes, to ensure spoofing of these messages is not possible.
--
Re:What stops me from spoofing itrace?
by
Azog
·
· Score: 3
The itrace packets will have an authentication section. Read the ietf draft, it explains some of the possibilities.
At any rate, spoofed itrace packets will be detectable.
Torrey Hoffman (Azog)
-- Torrey Hoffman (Azog) "HTML needs a rant tag" - Alan Cox
I'm sick and tired of good intentions being used to defend bad plans.
Uh, sorry. No. The internet as we know it was built on a large number of assumptions, many of which are simply no longer true. The largest of these assumptions is that there was no reason for built-in security, since the only people using the network were academic types -- and it was true that the various institutions could generally trust each other. But as the network became more open to the public at large, the old assumptions begin to break down. This plan is attempt to fix a single problem in an inherently bad design. Get over it.
Before going off and critising this, take note of these two points:
1 in 20,000 packets will be affected. So its not as if every packet you sent is affected.
All it does is send the what the router knows of the packet to the destination.
In other words, if you are surfing slashdot, every once and awhile, slashdot will get a itrace packet saying that 1.2.3.4:1234 destined for slashdot.org:80 was routed through me.
However, if you are surfing slashdot, then slashdot ALREADY knows your ip address. This only affects you if you use spoofing to send packets out. And remember, spoofing is (basicaly) connectionless. You can't connect to a website and get a page (or ever request a page) with a spoofed IP address. You can only send out individual packets that have a spoofed from address.
So, how does this affect my privacy? Well, if I do lots of DOS attacks, or spoofed portscans, then occasionaly the site I'm attacking will find out some of the routers I'm going through. If I'm a regular joe blogs, surf porn sites on company time, and generally do things I don't want the public to know about, then some of the places I visit will find out occasionaly which router I go through. However they can get this information really easily via a standard traceroute.
So in the end, it has VERY LITTLE affect on privacy, except of those who are trying to spoof their return address (And spoofing your return address is 90% of the time used only in attacks. (Occasionally it could have a legitimant purpose, but if it did, then you shouldn't care if the other site figures out who you are)).
As far as I can see, its generally a good thing(tm), though they'd better get the authentication right, else it will become useless.
Oh, thats one thing, if the authentication isn't good enough, then you'll be able to fool some sites into thinking you are routing through a different router. However this only brings us back to square one, no futher.
---
--
I use to have a funny sig, but slash cut it off, and I forgot what the punchline was.
1) itrace packets are only sent approx 1/20000 packets through a router, greatly reducing any traffic analysis benifits from monitoring itrace packets
2) the packets go to the destination. So only your destination and points between can read the itrace packets, but they can read your packet anyways, so no biggie.
Ergo, the only time an itrace packet will tell anyone anything more then they would know by looking at the IP header of your TCP packets is in the limited case where the IP address on the packet is forged.
Now why, you might ask, would you want to forge a IP address? Good question. Remember if your IP address is wrong, no return traffic will reach you. The 2 cases I can think of are:
1) doing a TCP hijack attack, and due to the probable low volumes (telnet doesn't generate THAT many packets) in the hijack stream the chances of getting caught by an itrace packet is pretty slim.
2) performing a DOS attack, which is pretty much totally evil.
3) doing a portscan with a decoy. You might get your fingers slapped here. Lifes a beach.
So, as far as playing on gnutella, or posting as AC on slashdot is concerned, you don't loose anything to itrace in terms of atonmymity that you hadn't already lost by having your IP address on a packet.
I hope that clears things up somewhat and avoids a flame or two.
---- Remove the rocks from my head to send email
-- On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
What stops me from spoofing itrace?
by
wowbagger
·
· Score: 3
What keeps a script kiddie from sending spoofed itrace packets implicating every machine on the planet from a comprimised machine?
I'm sick and tired of good intentions being used to defend bad plans. People have gotten away with taking our guns (protected by the Third Amendment) and our freedom of speech to talk about drugs (protected by the First Amendment). We can't let take them our right to privacy too.
The majority of net users do not conduct DDoS attacks. Therefore, there is no need for an anti-DoS ICMP.
If you understood the technology here, you would realize that UNLESS YOU'RE USING IP SPOOFING, ITRACE WILL NOT AFFECT YOU. All that ITRACE does is make IP SPOOFING much more difficult. The majority of net users do not use IP spoofing. And the majority of net users who do use IP spoofing ARE using it to do illegal things.
The ability to know the IP of the person sending you packets is NOT a privacy violation. There are already ways to send information anonymously; what possibly use could IP spoofing have?
First Echelon, then Carnivore, and now yet another attempt to track the actions of average citizens on the Internet.
Wait, I thought they said "perpetrators of DDoS attacks".
Sure, stopping DDoS attacks sounds good in theory, but so does stopping "child molesters" or "foreign spies."
Uh.... Those sound good in practice, too, I think. Do you have any reasons to the contrary?
Like we need more information about ourselves being handed out online.
Like anyone even cares about what you do online. I'm constantly amazed by the number of Slashdot readers that have delusions of government agencies tracking their every move online, reading their every email, and so on. "They" just plain don't care about most of you. Get it? It may be comforting to have these delusions that you are somehow significant, but I'm pretty sure that nobody here is important enough for "them" to care about.
And then there's the everpresent question of just who "they" are.
I'm sick and tired of good intentions being used to defend bad plans.
Well, that's wonderful, but I don't see any good plans coming from you. If you don't like the plan, come up with a better one.
People have gotten away with taking our guns (protected by the Third Amendment)
Second.
We can't let take them our right to privacy too.
Funny, I don't recall seeing an amendment guaranteeing you a "right to privacy."
The majority of net users do not conduct DDoS attacks. Therefore, there is no need for an anti-DoS ICMP.
The majority of citizens do not commit murders. Therefore there is no need for a police homicide unit.
Re:egress filtering - Totally right
by
Ice+Tiger
·
· Score: 3
This would stop address spoofing right now, all ISP's should implement this. So what are the chances of getting ISP's to roll out itrace if they don't even bother to try and fix the problem in the first place.
I know I won't be popular here on/. but maybe a few lawsuits against ISP's not implementing egress filtering might change the current situation. Maybe implicating them due to negligence or some such.
-- "Because we are not employing at entry level, offshoring will kill our industry stone dead."
Your post is such nonsense that I hardly know where to begin.
So what is to be done? Maybe it's time to restrict who has access to the net. Since services like AOL and CompuServe made it easy for Joe Sixpack and his family to get online we've seen an exponential growth in website defacings, DDoS's and general abusive behaviour. If people were not allowed to access the net unless they fit certain criteria we could reclaim it from the scipt-kiddies.
<sarcasm>So what is to be done? Maybe it's time to restrict who has access to the roads. Since companies like Ford made it easy for Joe Sixpack and his family to get online we've seen an exponential growth in stoplight-running, wrecks and general abusive behaviour. If people were not allowed to access the roads unless they fit certain criteria we could reclaim it from the infidels.</sarcasm>
You're confusing causation and correlation. It's also happened since (a) script kiddie tools became widely available, (b) users with significant home bandwidth have become common, (c) non-web media have given attention to, and to an extent glorified, 31337 behavior, and (d) 17" monitors became popular. You further make the insiduous claim that average AOL users are script kiddies; this is a cheap, elitist attack that doesn't in the least help your argument: AOL users aren't anonymous.
What criteria would be appropriate is the next question. Well firstly we need some kind of age limit - 16 or 18 would seem appropriate since there is a lot of offenisve material out there that we don't want our kids seeing. It would also restrict the net to people mature enough to take responsiblity for their own actions, which can only be a good thing.
<sarcasm>Right! What we also need to do is restrict libraries to adults 18 years of age or older. We don't want our kids to read about bomb-making until they reach the age of 18 and are magically wise. There's so much offensive material in the library, after all.</sarcasm>
Secondly there should be some kind of examination process to weed out those people who aren't desirable. This should allow us to ensure that people know to be polite and would also allow us to teach people things like "don't open every attachment you receive in the mail" which would make everybody's life better.
<sarcasm>Another great idea! Let's create some powerful organization to kick impolite people (by their judgment) off thenet. Also this organization, which everyone would gladly accept, would be empowered to remove inferior users. All the nations of the world would unite behind a plan to make the Internet available only to the master race.</sarcasm>
Seriously, why are you so intent on kicking off users? It's childish and vindictive behavior. It's neither practical, nor IMHO desirable in a free society.
--
--
Gates' Law: Every 18 months, the speed of software halves.
As far as I can see, its generally a good thing(tm), though they'd better get the authentication right, else it will become useless.
Some kind of authentication can be achieved using packets that are transmitted with a TTL of 255. If you get a packet with a TTL of 254 there is no way it could have been sent from a host further than one hop. Lots of routers need to be upgraded for itrace, but ALL routers decrease the Time-To-Live field. I wonder how this could be effectively extended to longer distances.
----
--
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Slashdot Mirror
We were going to write an RFC and become famous.
Then we found that it was already covered in an RFC, already in the IP protocol as the "Loose Source and Record Route."
Force router companies and ISPs to use that particular header option, and the whole accountability problem is solved while preserving anonymity.ISPs can solve the spoofing problem RIGHT NOW with tools available today: egress filtering. The ISPs I run have egress filtering on ALL routers (border and internal) so not a single internal host can send a packet unless the source address is at least within the same subnet. Makes more sense to me than inventing another ICMP standard which requires all router manufacturers to update their software, and all ISPs to upgrade to the newer software.
No, I've said it before in an earlier post; the only way to solve this IMHO is to let the Hosting providers come together and setup a guideline / rule for all servers being hosted. If they don't meet the security limits its either done for them or bye bye. When these people will stop thinking about money all the time and also give a little bit more consideration to the Net our troubles would reduce enormously.
You're falling into the trap of the Politician's Syllogism:
Aren't you posting from the UK ? Right now the UK has the unedifying spectacle of a government simultaneously imposing draconian anti-privacy measures in the RIP bill, yet also having their own secrets exposed by "Benji the Binman", owing to their own complete lack of understanding on basic infosec (shred your rubbish).
We already have many defences against DDoS attacks. The best one is installing Clues in the admins of bozo ISPs (not forwarding RFC1918 is a damned good start), but more robust inbound routing helps too (stateful packet inspection still isn't commonplace, yet it kills things like SYN flooding). We can fix this. Sure, It sucks today, but let the geeks work it out and we'll get the holes patched.
So what are you suggesting instead ? Modem Licences, to go with the Modem Tax rumours you recall so fondly from the Net 10 years ago. The infrastructure is flaking, there are too many cluephobes jumping on the ISP bandwagon, yet you want to start beating up on the users ! I'm sorry if AOL doesn't meet your standards of intellectual superiority (are you a Mensa member too ?), but their cash is as good as yours or mine, and they've just as much right to be here.
If I walk into my local pub and behave like a jerk I'll be thrown out. Cross the road and the same behaviour is accepted as normal; different pubs, different communities, different standards of behaviour. How is your "global net access" going to support that ? I don't want Kansas fundies telling me that evolution doesn't work, and they probably wouldn't want me offending their local ordinances either.
Don't like Grits with your Slashdot ? Lets make moderation work better. Virtual Communities are still a pretty new concept, and we're going to have to learn how to deal with the odd Mr Bungle or BeerGuy.
Personally I think an age limit of 32 is about right. Keeps off the people who don't remember uucp and real netiquette. How do you like that idea ? 8-)
This attitude always makes me smile a little. People assume that the Internet is currently anonymous and that technologies like itrace will somehow throw that anonymity away. The truth of the matter is, is that currently if you use the Internet in a normal fashion whereby you are receiving data, you are traceable. If you want anonymity then I suggest you use an anonymizer - it's what they're there for.
Also, if you had read the article fully you would have realised that not every packet you send will be traceable - only one packet in 20,000 will cause a traceback message. This means that normal activity is unlikely to cause many traceback messages, whereas a full-on DoS will get spotted easily and be traceable. This is important because if every packet caused tracebacks, then a DoS would be twice as effective (think about it).
And lastly, we come to the fact hackers might be able to spoof tracebacks to make it look like it came from you. Again, if you'd read the article you'll realise one of the technical challenges in implementing itrace is the PKI platform that will have to be built for authentication purposes, to ensure spoofing of these messages is not possible.
--
The itrace packets will have an authentication section. Read the ietf draft, it explains some of the possibilities.
At any rate, spoofed itrace packets will be detectable.
Torrey Hoffman (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
I'm sick and tired of good intentions being used to defend bad plans.
Uh, sorry. No. The internet as we know it was built on a large number of assumptions, many of which are simply no longer true. The largest of these assumptions is that there was no reason for built-in security, since the only people using the network were academic types -- and it was true that the various institutions could generally trust each other. But as the network became more open to the public at large, the old assumptions begin to break down. This plan is attempt to fix a single problem in an inherently bad design. Get over it.
---
---
"Go Metallica. Die RIAA." -- Linus Torvalds
Before going off and critising this, take note of these two points:
1 in 20,000 packets will be affected. So its not as if every packet you sent is affected.
All it does is send the what the router knows of the packet to the destination.
In other words, if you are surfing slashdot, every once and awhile, slashdot will get a itrace packet saying that 1.2.3.4:1234 destined for slashdot.org:80 was routed through me.
However, if you are surfing slashdot, then slashdot ALREADY knows your ip address. This only affects you if you use spoofing to send packets out. And remember, spoofing is (basicaly) connectionless. You can't connect to a website and get a page (or ever request a page) with a spoofed IP address. You can only send out individual packets that have a spoofed from address.
So, how does this affect my privacy? Well, if I do lots of DOS attacks, or spoofed portscans, then occasionaly the site I'm attacking will find out some of the routers I'm going through. If I'm a regular joe blogs, surf porn sites on company time, and generally do things I don't want the public to know about, then some of the places I visit will find out occasionaly which router I go through. However they can get this information really easily via a standard traceroute.
So in the end, it has VERY LITTLE affect on privacy, except of those who are trying to spoof their return address (And spoofing your return address is 90% of the time used only in attacks. (Occasionally it could have a legitimant purpose, but if it did, then you shouldn't care if the other site figures out who you are)).
As far as I can see, its generally a good thing(tm), though they'd better get the authentication right, else it will become useless.
Oh, thats one thing, if the authentication isn't good enough, then you'll be able to fool some sites into thinking you are routing through a different router. However this only brings us back to square one, no futher.
---
I use to have a funny sig, but slash cut it off, and I forgot what the punchline was.
OK, before everyone gets up on their horses....
Firstly I support internet privacy totally.
Secondly this inititive does not erode that.
Read the article, and you find a few things...
1) itrace packets are only sent approx 1/20000 packets through a router, greatly reducing any traffic analysis benifits from monitoring itrace packets
2) the packets go to the destination. So only your destination and points between can read the itrace packets, but they can read your packet anyways, so no biggie.
Ergo, the only time an itrace packet will tell anyone anything more then they would know by looking at the IP header of your TCP packets is in the limited case where the IP address on the packet is forged.
Now why, you might ask, would you want to forge a IP address? Good question. Remember if your IP address is wrong, no return traffic will reach you. The 2 cases I can think of are:
1) doing a TCP hijack attack, and due to the probable low volumes (telnet doesn't generate THAT many packets) in the hijack stream the chances of getting caught by an itrace packet is pretty slim.
2) performing a DOS attack, which is pretty much totally evil.
3) doing a portscan with a decoy. You might get your fingers slapped here. Lifes a beach.
So, as far as playing on gnutella, or posting as AC on slashdot is concerned, you don't loose anything to itrace in terms of atonmymity that you hadn't already lost by having your IP address on a packet.
I hope that clears things up somewhat and avoids a flame or two.
----
Remove the rocks from my head to send email
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
What keeps a script kiddie from sending spoofed itrace packets implicating every machine on the planet from a comprimised machine?
www.eFax.com are spammers
The ability to know the IP of the person sending you packets is NOT a privacy violation. There are already ways to send information anonymously; what possibly use could IP spoofing have?
First Echelon, then Carnivore, and now yet another attempt to track the actions of average citizens on the Internet.
Wait, I thought they said "perpetrators of DDoS attacks".
Sure, stopping DDoS attacks sounds good in theory, but so does stopping "child molesters" or "foreign spies."
Uh.... Those sound good in practice, too, I think. Do you have any reasons to the contrary?
Like we need more information about ourselves being handed out online.
Like anyone even cares about what you do online. I'm constantly amazed by the number of Slashdot readers that have delusions of government agencies tracking their every move online, reading their every email, and so on. "They" just plain don't care about most of you. Get it? It may be comforting to have these delusions that you are somehow significant, but I'm pretty sure that nobody here is important enough for "them" to care about.
And then there's the everpresent question of just who "they" are.
I'm sick and tired of good intentions being used to defend bad plans.
Well, that's wonderful, but I don't see any good plans coming from you. If you don't like the plan, come up with a better one.
People have gotten away with taking our guns (protected by the Third Amendment)
Second.
We can't let take them our right to privacy too.
Funny, I don't recall seeing an amendment guaranteeing you a "right to privacy."
The majority of net users do not conduct DDoS attacks. Therefore, there is no need for an anti-DoS ICMP.
The majority of citizens do not commit murders. Therefore there is no need for a police homicide unit.
This would stop address spoofing right now, all ISP's should implement this. So what are the chances of getting ISP's to roll out itrace if they don't even bother to try and fix the problem in the first place.
/. but maybe a few lawsuits against ISP's not implementing egress filtering might change the current situation. Maybe implicating them due to negligence or some such.
I know I won't be popular here on
"Because we are not employing at entry level, offshoring will kill our industry stone dead."
You're confusing causation and correlation. It's also happened since (a) script kiddie tools became widely available, (b) users with significant home bandwidth have become common, (c) non-web media have given attention to, and to an extent glorified, 31337 behavior, and (d) 17" monitors became popular. You further make the insiduous claim that average AOL users are script kiddies; this is a cheap, elitist attack that doesn't in the least help your argument: AOL users aren't anonymous.
<sarcasm>Right! What we also need to do is restrict libraries to adults 18 years of age or older. We don't want our kids to read about bomb-making until they reach the age of 18 and are magically wise. There's so much offensive material in the library, after all.</sarcasm> <sarcasm>Another great idea! Let's create some powerful organization to kick impolite people (by their judgment) off thenet. Also this organization, which everyone would gladly accept, would be empowered to remove inferior users. All the nations of the world would unite behind a plan to make the Internet available only to the master race.</sarcasm>Seriously, why are you so intent on kicking off users? It's childish and vindictive behavior. It's neither practical, nor IMHO desirable in a free society.
--
Gates' Law: Every 18 months, the speed of software halves.
As far as I can see, its generally a good thing(tm), though they'd better get the authentication right, else it will become useless.
Some kind of authentication can be achieved using packets that are transmitted with a TTL of 255. If you get a packet with a TTL of 254 there is no way it could have been sent from a host further than one hop. Lots of routers need to be upgraded for itrace, but ALL routers decrease the Time-To-Live field. I wonder how this could be effectively extended to longer distances.
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.