Re: Reporting Little Blue Men

["Jordyn A. Buchanan" <jordyn () bestweb net>]

At 7:03 PM -0500 1/20/98, Dean Anderson wrote:

> You report them to the FBI. See "Firewalls and Internet Security" by
> Cheswick and Bellovin, and "Unix System Security" by Curry.
>
> Does that help?  Yes and no.  There are several laws being violated, but
> the FBI basically isn't getting involved in the spam wars.  The first
> violators were the anti-spammers who put in the blocking. The second
> violators were the spammers who use relaying to get around that.
> Anti-spammers are illegally intercepting (blocking) electronic
> communications, and reading email, and the spammers are illegally exceeding
> their authorization to access computers.  The anti-spammers are illegally
> preventing access to computers and networks engaged in interstate commerce.
> Anti-spammers illegally exceed their authority to cancel usenet messages.
> Spammers try to post messages faster than they can be canceled.
> Electronic packet wars with each side trying to out-send the other.

I'm not sure what the issue of spammers vs. anti-spammers has to do with
the general case of smurf attacks.  While I'm sure that some subset of the
smurf attacks that take place may have something to do with this
"conflict", there's no reason to believe that smurf attacks generally have
anything to do with spam-blocks or spam relays.

> But you should note that both authors also indicate that (from Cheswick and
> Bellovin, page 205): "Computing and electronic communications service
> providers are more limited in their right to monitor user activity. Just as
> the phone company personnel may not, in general, listen to your calls,
> employees of a public electronic mail service may not read your messages,
> whether in transit or stored." There will be more detailed information in
> our spam policy.

None of the commentary regarding spam blocks being an illegal
"interception" of electronic communication is borne out by recent case law.
Both AOL and CompuServe have won cases that essentialy bear out their right
to block e-mail from certain sources at their discretion.  There are a wide
variet of legal arguments that could be made here, but the current state of
the law seems to bear no resemblance to the picture that Mr. Anderson is
trying to paint above.

Back to the original question posed by Eric Wieling:

> Is there any point in trying to report these attacks?  Who would we
> report them to?  We don't know what the source is, after all the
> address is spoofed.  It seems kind of pointless to notify the victim
> -- they already know they have been smurfed.

As others have pointed out, identifying the interface the packets are
coming in from would allow you to start the tracing process.  (Okay,
blatant generalizing now.  I realize there are exceptions...)  However,
based on my experience with the providers we buy transit from, I have a
feeling you wouldn't get much of a response from most of the people you get
on the phone.  There doesn't seem to be much incentive for a NOC to track a
smurf attack that is simply passing through their network, and NOC security
teams seem generally unwilling to spend time on issues that aren't
affecting them.

Jordyn

|----------------------------------------------------------------|
|Jordyn A. Buchanan                    mailto:jordyn () bestweb net |
|Bestweb Corporation                      http://www.bestweb.net |
|Senior System Administrator                     +1.914.271.4500 |
|----------------------------------------------------------------|