Re: [ISN] UMass computer scientist offers a new way to track internet vandals

From: InfoSec News (isnat_private)
Date: Sat Apr 13 2002 - 00:58:20 PDT

  • Next message: InfoSec News: "[ISN] Another Computing Platform Gets Its First Virus"

    Forwarded from: Russell Coker <russellat_private>
    On Fri, 12 Apr 2002 10:02, you wrote:
    > become so overwhelmed with traffic that they crash. Micah Adler, an
    > assistant professor at the University of Massachusetts Department of
    > Computer Science, has developed a new technique for determining the
    > source of such an attack that requires only adding a single bit of
    > information to messages sent across the Internet.
    Of course if everyone put filters on their edge routers that prevented
    their customers from faking source IP addresses then it would be much
    easier to identify the attacker, and would make it possible to filter
    the attacks out (if the attack starts at 6PM local time for the
    attacker then you have no chance of getting the local administrator to
    do anything for more than 12 hours), core routers don't get filters,
    so you must be able to filter what you receive.
    Also big ISPs are very wary of making any changes to core routers.  
    Getting them to replace the firmware with a new version that has a
    major new feature such as this enabled will be next to impossible.
    Finally tracking the source machine after a large volume of traffic
    does you no good at all if it's just a trojaned Windows box.  
    Preventing DDOS attacks requires the ability to filter out the
    trojaned Windows machines as fast as they get deployed, if you can't
    filter out a new attacker in less than 5 minutes after they start
    attacking then you have no hope of stopping the smallest DDOS.
    Let's assume that we are able to make a list of attacking machines
    fast enough to keep up with the new supply (this may be impossible,
    but let's assume it isn't for the sake of discussion).  What do we do
    next?  Wait until we have a few thousand IP addresses of Windows
    machines in the router config and it can't handle the filtering load
    and melts down?
    Currently we have a serious problem of people crying-wolf about
    network attacks.  Idiots buy so-called security software for their
    Windows PCs which alerts them every time a strange packet hits their
    machine and they start phoning and emailing ISPs about it.  Dealing
    with these people is a waste of time, and because of it large ISPs
    have special groups of help-desk people to deal with such issues.  
    The result is that the only form of network abuse that will be dealt
    with is SPAM.  Anything else will never be forwarded to the people who
    are able to do anything about it (a common proceedure for such
    situations is to tell the complainant that the account has already
    been cancelled to stop them bothering the help-desk again).
    In conclusion I think that this method for determining the source is a
    solution looking for a suitable problem, and that tracking and
    stopping "internet vandals" will not be possible until people get some
    Russell Coker
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Sat Apr 13 2002 - 03:19:05 PDT