Re: Ping flooding (fwd)

["Daniel W. McRobb" <dwm () ans net>]

> On Mon, 8 Jul 1996, Daniel W. McRobb wrote:
>
> > The problem is not really a technical one.  It's administrative.  It's
> > much more of a headache to backtrack through 30 routers that aren't in
> > your own network than to backtrack to the ingress to your own network
> > domain and filter it out there (which is the typical response to this
> > kind of thing).  Getting everyone in the path to cooperate with
> > backtracking is difficult in many instances, impossible in others. 
>
> I recall that people have cooperated in the past on some sort of
> performance analysis tool that transported packets through a tunnel to
> some remote point and initiated an analysis of some sort from that point
> I believe this was done by NLANR and had something to do with vBNS.
>
> I don't think this is all that different. If some means existed for an NSP
> to initiate a trace on a specific source address to backtrack it to the
> real source then an easy to use tool could be built. Of course, first of
> all router vendors need to make a quick and relatively painless way to 
> track down the interface that a packet comes in from, maybe

There will likely never be a means for a single NSP to track down the
real source of spoofed packets using IPv4.  Service providers won't be
letting other service providers track spoofed packets through their
network.

> set icmp-source-trace 148.32.45.67 on
>
> and later....
>
> show icmp-source-trace
>
> IP address          Interface
> ----------          ---------
> 148.32.45.67        NO TRACE
>
> Note that the source trace was active for a period of time and then
> expired automatically with no new ICMP packets bearing the specified
> source address in that period of time. If this facility is available an
> easy to use tool could be built.

In the case of a spoofed-source, denial of service attack, the source
address is often of less use than the destination address/port/protocol
in tracking down the real source.  The attacker just switches the source
address and walks right through your trace (or filters).

Don't get me wrong; I think packet sniffing capabilities (even in their
simplest forms) can be very useful and I wish there were more facilities
in typical routers for tracking traffic via IP header information.

> > that doesn't even take into account the cases where an attacker has
> > multiple paths into your network and is using multiple forged source
> > addresses, much less the fact that the attacker can turn off the attack
> > when he/she chooses, thwarting your effort to track them. 
>
> No doubt about it. Being a detective is hard boring plodding work and
> sometimes you just never find the crook. But it's still worth trying.

Define worth.  I live in a capitalist society where catching a criminal
is of little worth (particularly an ICMP bomber who's arguably not much
worse than a USENET spammer) in it's own right and often only worthwhile
if there's monetary compensation involved (either from a legal
settlement, reward or just recovery of service and time spent fixing
things that are broken by an attacker).  :-)

Daniel
~~~~~~
- - - - - - - - - - - - - - - - -