Slashdot Mirror
Distributed Network for Reverse-Tracerouting
I got the head's up from some folks concerning Traceloop.com. It's an interesting idea - you can see what route your traffic takes on the /return/ path. By utilizing a large group of distributed test
points anyone registered with the service can run traceroutes in both directions provided there is a client near the destination ISP. So, they are looking for more people to sign up for the network - but also to have people use it. I'd like to see this used vis a vis DoS attacks and such - but this approach is a whole new way of doing this.
How many hops away from slashdot am I?
C:\>tracert slashdot.org
Tracing route to slashdot.org [127.0.0.1]
over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms slashdot.org [127.0.0.1]
Trace complete.
Hrm, that looks pretty good. So why do the pages take so long to load?
--Shoeboy
Now I know I'm not some kind of network guru, but isn't there the possibility that this could be used to launch DDoS attacks? Any kind of distributed system has got to have the ability to launch such attacks, and open services like this must surely be more vulnerable to abuse than machines that have to be cracked.
Hopefully the encryption system they are using will withstand such attempts. At least they've thought about it, because this kind of thing would probably be a target for malicious script kiddies.
However it would be good to be able to reverse traceroute incoming packets. It's also nice to be able to worry less about allowing UDP and ICMP through your firewall, and hopefully this will be taken up by enough concerned sysadmins to make it a viable concept. As recent attempts have shown, tracking down the originator of DDoS attacks is pretty hard, and this might save us the threat of yet more Government "protection" for the net.
--Anticipation of a New Lover's Arrival, The
ICMP packets already account for an absurdly large amount of total Internet trafic. I can't be bothered to find a link, but I believe it was between 15-17%.
Is it really a wise use of limited bandwidth resources to develope new network clogging toys for 'system administrators' to play with? What a lot of geeks tend to forget is that real people are trying to accomplish real work over the Internet. It's no longer just their personal playground.
The entire economy has been transformed to rely on networking and information technology. Bandwidth is a critical resource that mustn't be wasted on 'cool' new toys.
Even worse, systems like Traceloop are always poorly thought out and rife with possible exploits. The last thing we need is yet another platform for hackers to launch malicious attacks on the public and private sector's key information systems.
Basically, if it's not business critical, it doesn't belong on the Internet anymore.
- qpt
--
Domine Deus, creator coeli et terrae respice humilitatem nostram.
The idea is quite nice, but what's the actual use of this? In practice, how many times does it happen that the reverse route differs from the forward route?
:-( And when it would have worked, the results would have been worthless because the distance between the targets and the clients was too large - though this will change when the network grows.
Also, the first time I tried it didn't work
This is your sig. There are thousands more, but this one is yours.
As I see it, they will charge nothing to use the basic client, but they charge for the 'pro' client which will have additional features. Still, if this is a 'shared' service where all the clients participate by serving to others as well, does it then seem fair that they receive money for it?
Or should I wait for www.opentraceloop.org?
Dave
what if the FBI has had something like this for some time now, and they just never told anyone about it i mean after the carnivore incident i think the next toy they make they will be a more hush about, maybe it's called intestional track or something spaz like " y ru 8 us " Just a thought take dont take it flame bait seriously, just think of the stealth planes america has, and what is exactly next generation stuff we have not seen yet.
WAAH
Getting a 404 error on the download link that was sent after registering. Anyone else getting this?
Basically it gives you the ability to follow back to the source of an attacker.
The best argument I heard against it was that ISPs first should do some decent outgoing filtering to catch SMURF - attacks.
Of course you might be able to abuse the system by faking a malicious attack from the host to be attacked. I doubt that this would be fun for script kids though, since using multiple hosts sounds much more impressive.
I'm still trying to figure out what people mean by 'social skills' here.
Alright, first, ICMP is a necessity. It is the Internet Control Messaging Protocol, and is used to troubleshoot network issues. It does _not_ use much bandwidth, and I seriously doubt it consumes 15-17%, though I do not have stats to back that up. Regardless, even if it does take that much bandwidth, or even 25%, it is a necessary part of the internet. I work at an ISP, doing routing configuration and troubleshooting most of the time, and without free reign to use ICMP however I want (which includes flood pings and extended pings), I could not do my job. This tool could be used to save a lot of time on the internet, actually.. here's a situation I see every day.. some customer has a problem reaching blah.com.. when he runs a traceroute, it goes all the way through my network, and then dies in another isp's network which I have no visibility to. I have to send email or call the other ISP and wait at their whim for them to address the problem, which happens slowly, if not at all most of the time. If Traceloop were inplemented across the board, a lot of time could be saved by Noc employees across the globe, which would mean quicker resolution of internet problems, which would lead to greater stability and speed on the network, which I am sure would help your precious business.
You business people need to realize that you don't own the internet. You pay for a very small amount of bandwidth on the internet, which you can do what you choose with, but you didn't build the internet, you don't maintain the internet and you have no right whatsoever to tell anyone else what to do with their bandwidth.
The only thing I can figure is you're either an idiot or a troll.. if the former is true, please go read Internet Architechtures by Halabi (cisco press book)... it is very useful. If the latter is the case, the fuck right off.
//Phizzy
"Most European technology just isn't worth our stealing," -- Former CIA chief James Woolsey, referring to Echelon
Sorry there, but if you take the time to read the FAQ you'll see that they express the same concerns about the possibility of this network being used as a launching point for DDoS. I don't see how this makes me a troll.
--Anticipation of a New Lover's Arrival, The
Here is the abstract from the nature website
Also available is full text and PDF of the paper.
I'm not a Troll i prefer to be called a Goblin.
You might be able to fire him, but I am a South African living in London, UK. What am I supposed to do when your goverment, I am guessing USA, decideds that they are the "Law of the Internet"? Do I get a vote on who sits in the Whitehouse, who makes the laws and who applies the law?
When will people realise that the USA/"country of choice" is not the Internet, the whole world is, even the horrible little countries you are not allowed to export encryption to. Andrew
The UK academic network charge institutions (2p/MB on average), some of which pass the cost on to individuals, for transatlantic traffic.
Having a way to do reverse traceroutes would be invaluable for identifing the offending traffic more effectively.
Currently we can look at traceroutes for evidence of the JANET US gateways, and the ping time (anything that does through the US gateways >70ms) all of which isn't ideal...
denier (n.) 1. A unit of fineness for rayon, nylon, and silk fibers, based on a standard mass per length of 1 gram per 9,000 meters of yarn. 2. a. A small coin of varying composition and value current in western Europe from the eighth century until the French Revolution. b. A small, trifling sum. (Archaic)
What am I supposed to do when your goverment, I am guessing USA, decideds that they are the "Law of the Internet"?
This brings up the pertinent question, "why is your government paying attention?" The USA is certainly not within its rights to be intervening in your country's internal affairs. If the USA oversteps its boundaries, it is your government's prerogative to ignore it. When imperialists try to dictate terms to you, it is your obligation ro resist.
When will people realise that the USA/"country of choice" is not the Internet, the whole world is, even the horrible little countries you are not allowed to export encryption to.
Complaining about the situation won't make it any better; you've got to take action if you want anyone to listen. "Political power grows out of the barrel of a gun," as Chairman Mao said - and while it's not often wise to apply this proverb literally, the saying certainly has a lot of truth to it.
I'd like to see this used vis a vis DoS attacks and such
A serious DOS wil use spoofed source addresses, rendering this use useless.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
While the distributed concept of this approaches something that might be called cool, there is already a remote tool installed at many NAPs which provides similar functionality in terms of reverse traceroutes and considerably more (BGP, etc). It's called looking glass, it's open source (perl) and doesn't carry around the broken subscriber model that this traceloop crap has.
Check out http://nitrous.digex.net for more info. An invaluable tool for routing engineers.
Many of the new business models require a level of QOS system performance in selection of a service provider tools such as trace routes can identify potential service problems.....All networks are not equal. Kevin Facinelli www.colosource.com Colocation Resource Center
Kevin Facinelli www.colosource.com webmaster@colosource.com
Moderate down
The source for tltrace is freely available. The link hasn't been published on the site (yet), but it is tltrace-0.91b-1.src.tar.gz.
We will endeavour to make this clearer on the web site in the future. Go ahead and grab it if you like.
Unfortunately these guys didn't actually inspect the entire Internet. So they have no idea about the faliover circuits, routers, paths, etc. Take my network. Normally you route through an one of two OC-3 to get one site. If one router/circuit fails OSPF changes to use the DS-3 on another router. You can't see this route while the OC-3 is up.
Fortunately your average attacker could only kill one larger router/access point at a time. Even the last DDOS was only beating on Yahoo, ebay, etc individually IIRC. Not to mention that network infrastructure is quite a bit harder to take down then a web cluster.
kashani
- Why is the ninja... so deadly?
It strikes me as strange that the people who got worked up over locator/id chips being embedded in consumer products, are not getting worked up over this.
Yes reverse traceroute is more indirect, but both are ways to locate the general whereabouts of the individual.
The question is where do we draw the line?
Frank Fletcher.
It works really well.
A similar Idea I have heard kicked around is the ability to automatically shutdown single source flood without the need for the Administrators getting involved at all.
The idea works like this: A system realizes its getting DoS'd (a relatively simple realization. either your getting a lot of bogus return address', or you know whos flooding you...) So if you're getting a bunch of bogus address' you need a way to shut it off as close to the source as possible. So, Network hardware all up and down the spectrum needs a new protocol: call it "ADA, Anit-Denial of Service Attack protocol). This language defines a way for a node to ask the next node in the link to automatically kill packets that are coming in with bogus return address', and which are destined to go either to or through your node. The upstream node will be able to tell just by checking which trunk the data came down, and verifying that the return address is coming from that trunk. If it gets some that are invalid (more then 1% of a particular type for example), then it would ask the router along the source trunk to do the same. Each node would take about 1 to 2 minutes of statistics gathering to be able to figure out definitively where the DoS is coming from, and then could stop passing those packets along, and ask the next router upstream to do the same. The advantage is that the system is perfectly safe since you can't ask to have someone else shut down, because the router won't accept and pass on the request unless the trunk the request came from matches the trunk down which the DoS target exists. You would be vulnerable to having your connection severed against your will only if one of the routers is compromised, but by definition if a router is compromised, your connection is vulnerable anyway.
The nice thing about this system is that if you get DoS'd, and you know you're being DoS'd, you send this request upstream, and the routers will work their way back to the source until the attackers own ISP will kill the packets before they even make it one hop onto the net in general. It can be completely automated, and there is no additional risk to your connection than already exists. The protocol would require some basic info and statistics engines in the routers, but that already exists for other purposes (like load balancing). It would still allow you to send out bogus return address' but if you start flooding someone, the system will automatically lock you out from the person you're flooding.
This won't serve to stop all DoS attacks, but it will stop the morons with the instant "DoS in a can" software from being able to attack someone because they stole their IRC nick, or something equally retarded. Additionally, calling the owner of the Router would allow you to use their logs (if they will let you) to track down the perpetrator.
-=Geoskd
www.geoskd.com
I wish I had a good sig, but all the good ones are copyrighted