North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Ping flooding (fwd)
> On Mon, 8 Jul 1996, Daniel W. McRobb wrote: > > > The problem is not really a technical one. It's administrative. It's > > much more of a headache to backtrack through 30 routers that aren't in > > your own network than to backtrack to the ingress to your own network > > domain and filter it out there (which is the typical response to this > > kind of thing). Getting everyone in the path to cooperate with > > backtracking is difficult in many instances, impossible in others. > > I recall that people have cooperated in the past on some sort of > performance analysis tool that transported packets through a tunnel to > some remote point and initiated an analysis of some sort from that point > I believe this was done by NLANR and had something to do with vBNS. > > I don't think this is all that different. If some means existed for an NSP > to initiate a trace on a specific source address to backtrack it to the > real source then an easy to use tool could be built. Of course, first of > all router vendors need to make a quick and relatively painless way to > track down the interface that a packet comes in from, maybe There will likely never be a means for a single NSP to track down the real source of spoofed packets using IPv4. Service providers won't be letting other service providers track spoofed packets through their network. > set icmp-source-trace 148.32.45.67 on > > and later.... > > show icmp-source-trace > > IP address Interface > ---------- --------- > 148.32.45.67 NO TRACE > > Note that the source trace was active for a period of time and then > expired automatically with no new ICMP packets bearing the specified > source address in that period of time. If this facility is available an > easy to use tool could be built. In the case of a spoofed-source, denial of service attack, the source address is often of less use than the destination address/port/protocol in tracking down the real source. The attacker just switches the source address and walks right through your trace (or filters). Don't get me wrong; I think packet sniffing capabilities (even in their simplest forms) can be very useful and I wish there were more facilities in typical routers for tracking traffic via IP header information. > > that doesn't even take into account the cases where an attacker has > > multiple paths into your network and is using multiple forged source > > addresses, much less the fact that the attacker can turn off the attack > > when he/she chooses, thwarting your effort to track them. > > No doubt about it. Being a detective is hard boring plodding work and > sometimes you just never find the crook. But it's still worth trying. Define worth. I live in a capitalist society where catching a criminal is of little worth (particularly an ICMP bomber who's arguably not much worse than a USENET spammer) in it's own right and often only worthwhile if there's monetary compensation involved (either from a legal settlement, reward or just recovery of service and time spent fixing things that are broken by an attacker). :-) Daniel ~~~~~~ - - - - - - - - - - - - - - - - -
|