Re: UMass computer scientist offers a new way to track internet vandals

[InfoSec News <isn () c4i org>]

Forwarded from: Russell Coker <russell () coker com au>

On Fri, 12 Apr 2002 10:02, you wrote:

> become so overwhelmed with traffic that they crash. Micah Adler, an
> assistant professor at the University of Massachusetts Department of
> Computer Science, has developed a new technique for determining the
> source of such an attack that requires only adding a single bit of
> information to messages sent across the Internet.

Of course if everyone put filters on their edge routers that prevented
their customers from faking source IP addresses then it would be much
easier to identify the attacker, and would make it possible to filter
the attacks out (if the attack starts at 6PM local time for the
attacker then you have no chance of getting the local administrator to
do anything for more than 12 hours), core routers don't get filters,
so you must be able to filter what you receive.

Also big ISPs are very wary of making any changes to core routers.  
Getting them to replace the firmware with a new version that has a
major new feature such as this enabled will be next to impossible.

Finally tracking the source machine after a large volume of traffic
does you no good at all if it's just a trojaned Windows box.  
Preventing DDOS attacks requires the ability to filter out the
trojaned Windows machines as fast as they get deployed, if you can't
filter out a new attacker in less than 5 minutes after they start
attacking then you have no hope of stopping the smallest DDOS.


Let's assume that we are able to make a list of attacking machines
fast enough to keep up with the new supply (this may be impossible,
but let's assume it isn't for the sake of discussion).  What do we do
next?  Wait until we have a few thousand IP addresses of Windows
machines in the router config and it can't handle the filtering load
and melts down?

Currently we have a serious problem of people crying-wolf about
network attacks.  Idiots buy so-called security software for their
Windows PCs which alerts them every time a strange packet hits their
machine and they start phoning and emailing ISPs about it.  Dealing
with these people is a waste of time, and because of it large ISPs
have special groups of help-desk people to deal with such issues.  
The result is that the only form of network abuse that will be dealt
with is SPAM.  Anything else will never be forwarded to the people who
are able to do anything about it (a common proceedure for such
situations is to tell the complainant that the account has already
been cancelled to stop them bothering the help-desk again).


In conclusion I think that this method for determining the source is a
solution looking for a suitable problem, and that tracking and
stopping "internet vandals" will not be possible until people get some
clues.


Russell Coker



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.