North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Government scrutiny is headed our way

  • From: Karl Denninger
  • Date: Tue Jun 16 16:50:35 1998

On Tue, Jun 16, 1998 at 12:58:12PM -0700, Curt Howland wrote:
> 
> Karl,
> 
> *You* may wish to make your life more convenient by bringing
> government force into your relationship with other network
> providers, why by what divine right do you get to impose your
> convenience on others by force?

Uh, I am imposing that same force on myself, if the "bad guys" are on my
network and someone needs help from us.

What I'm doing is asking for the government to start holding people
accountable for attractive nuisances, including vendors of equipment
who do nothing about tracability of this kind of attack.

> Just go ahead and filter the offenders. When their customers
> cannot reach your services, or their server customers get 
> contacted by your customers about the policies of their ISP,
> either they will change their policies or they will loose 
> customers.
> 
> It is MUCH more effective to guide business policies by the
> lure of money than by the gun. Each and every network service
> I have worked for has, once the benefits of cooperation were
> pointed out to them, changed their tune.

Look:

1.	There is zero excuse for people allowing non-verified traffic in
	from dial ports.  Zero.  Its a trivial filter to implement on any
	RAS box on the market today, including some VERY old ones.  If you
	filter only to the level of what COULD be legal (ie: the pool
	addresses on the device) that's good enough - it stops the spoofed
	denial of service attacks.  Further, there is no bandwidth or CPU
	consumptiojn argument on these connections which can be made.

	This is pure LAZYNESS and nothing more - period.

	This also applies to the cable modem people, the ADSL people, etc.
	The only thing in the way of doing this on dedicated lines is
	reasonable automation (since people on dedicated lines might
	have their own address space, etc).

	MOST large ISPs do NO verification on inbound dial packet streams.

2.	There is even less than zero excuse for a "fuck you" response from
	a NOC when you call them with a denial of service issue.  Yet this
	is what we, all too often, get, along with a refusal to transfer to
	a manager and in some cases, a refusal to give the employee's NAME!
	The first thing these guys want is a customer ID; don't have one, 
	go straight to hell.

	This happens ALL the time.  In fact, it happens so often that its
	basically a waste of time to attempt to try to trace an active Smurf
	today, because the big guys WILL stonewall you.

3.	Many of these providers sell "burstable" circuits.  They CHARGE
	MORE to customers when they are abused as smurf amplifiers.  Thus, 
	there is a hell of an incentive NOT to do anything about the problem, 
	as bits are bits when it comes to this issue.  Now if you bitch 
	they'll remove the charge I'm sure, but how many people won't catch 
	it, especially on DS1s and frac T3s?

4.	CISCO and other vendors have NOT stepped up to the plate with an
	EASY protocol-based way to trace these things.  The bottom line is
	that the users haven't demanded it because its a "not in my back
	yard" type of problem, and the people who's back yard it IS in (and
	who are spending the most money with CISCO and friends) are not 
	motivated to fix it.

5.	It is the smaller provider and customer who gets hurt by this.  
	We can survive 99% of all smurf attempts without damage.  Our T1
	downstream customers?  They're screwed.  A T1-connected ISP?
	They're screwed as well.  We don't get flooded off the network 
	when it happens, which is why a "bounce at the border" strategy 
	works for us.

	IT DOES NOT WORK FOR OUR CUSTOMERS, AS ONCE IT GETS TO THEM THE LINE
	IS CONSUMED AND TOSSING THE TRAFFIC IS POINTLESS!

6.	Since you need significant bandwidth to BE a good smurf amplifier,
	guess who makes the "best" ones?  Big ISP's internal infrastructure
	points, and fat-pipe (ie: DS3+) connected organizations.  The DS1
	connected guy is a poor smurf source, since you need a lot of them
	in concert to hurt significant ISPs badly these days.

--
-- 
Karl Denninger ([email protected])| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/          | T1's from $600 monthly / All Lines K56Flex/DOV
			     | NEW! Corporate ISDN Prices dropped by up to 50%!
Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS
Fax:   [+1 312 803-4929]     | *SPAMBLOCK* Technology now included at no cost