Posted by
ryuzaki0
on from the this-is-gonna-get-interesting dept.
ebresie writes "Here's an interesting article about a new technology that is being developed by the IETF. It's being called itrace. This is basically an ICMP Traceback Messages." There's a lot in this to think about.
ISPs can solve the spoofing problem RIGHT NOW with tools available today: egress filtering. The ISPs I run have egress filtering on ALL routers (border and internal) so not a single internal host can send a packet unless the source address is at least within the same subnet. Makes more sense to me than inventing another ICMP standard which requires all router manufacturers to update their software, and all ISPs to upgrade to the newer software.
Sounds kinda nice but let me get this right; I'm tracing the origin of the DoS flood. In other words; this will lead me to one of the, in most cases, many servers which are sending me this flood. What good will that do me? Sure, I know which company has a h4x0r3d server and I can tell them that their server flooded me but this won't resolve the issue. C'mon; there are millions of servers out there. If I can trace one and even let them shut it down the script kiddie can have 5 others in no time. Happy tracing!!
No, I've said it before in an earlier post; the only way to solve this IMHO is to let the Hosting providers come together and setup a guideline / rule for all servers being hosted. If they don't meet the security limits its either done for them or bye bye. When these people will stop thinking about money all the time and also give a little bit more consideration to the Net our troubles would reduce enormously.
This attitude always makes me smile a little. People assume that the Internet is currently anonymous and that technologies like itrace will somehow throw that anonymity away. The truth of the matter is, is that currently if you use the Internet in a normal fashion whereby you are receiving data, you are traceable. If you want anonymity then I suggest you use an anonymizer - it's what they're there for.
Also, if you had read the article fully you would have realised that not every packet you send will be traceable - only one packet in 20,000 will cause a traceback message. This means that normal activity is unlikely to cause many traceback messages, whereas a full-on DoS will get spotted easily and be traceable. This is important because if every packet caused tracebacks, then a DoS would be twice as effective (think about it).
And lastly, we come to the fact hackers might be able to spoof tracebacks to make it look like it came from you. Again, if you'd read the article you'll realise one of the technical challenges in implementing itrace is the PKI platform that will have to be built for authentication purposes, to ensure spoofing of these messages is not possible.
Slashdot Mirror
ISPs can solve the spoofing problem RIGHT NOW with tools available today: egress filtering. The ISPs I run have egress filtering on ALL routers (border and internal) so not a single internal host can send a packet unless the source address is at least within the same subnet. Makes more sense to me than inventing another ICMP standard which requires all router manufacturers to update their software, and all ISPs to upgrade to the newer software.
No, I've said it before in an earlier post; the only way to solve this IMHO is to let the Hosting providers come together and setup a guideline / rule for all servers being hosted. If they don't meet the security limits its either done for them or bye bye. When these people will stop thinking about money all the time and also give a little bit more consideration to the Net our troubles would reduce enormously.
This attitude always makes me smile a little. People assume that the Internet is currently anonymous and that technologies like itrace will somehow throw that anonymity away. The truth of the matter is, is that currently if you use the Internet in a normal fashion whereby you are receiving data, you are traceable. If you want anonymity then I suggest you use an anonymizer - it's what they're there for.
Also, if you had read the article fully you would have realised that not every packet you send will be traceable - only one packet in 20,000 will cause a traceback message. This means that normal activity is unlikely to cause many traceback messages, whereas a full-on DoS will get spotted easily and be traceable. This is important because if every packet caused tracebacks, then a DoS would be twice as effective (think about it).
And lastly, we come to the fact hackers might be able to spoof tracebacks to make it look like it came from you. Again, if you'd read the article you'll realise one of the technical challenges in implementing itrace is the PKI platform that will have to be built for authentication purposes, to ensure spoofing of these messages is not possible.
--