Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

IETF To Develop Anti-DoS ICMP 158

ebresie writes "Here's an interesting article about a new technology that is being developed by the IETF. It's being called itrace. This is basically an ICMP Traceback Messages." There's a lot in this to think about.
This discussion has been archived. No new comments can be posted.

IETF to Develope Anti DoS ICMP

Comments Filter:
  • Well, not every single packet, just every one out of 20,000. So in essence it only alows tracing of people sending thousands of packets. But then again, it's random so there is always that chance....
  • The I stands for Inverse. Do some research, thank you.
  • How does this compare with the other ideas for traceback, one of which is at http://www.cs.washington.e du/homes/savage/traceback.html [washington.edu]?

    This paper has some good ideas...

  • Put a hyphen in it: i-trace.
  • I thought that the work sounded familiar. Stephen Savage, who was quoted in the article, has been seen here before [slashdot.org].

    I remember being very impressed as I read his paper. His key realization is that not every packet needs to be traced. With a large number of packets, only a tiny fraction need tracing information. Yet, the target of attacks (who is receiving 10^6 packets a day) can build an accurate picture. Brilliant.

  • This will help prevent things similar to the attack on kuro5hin.

    I thought the attack or kuro5hin involved flooding the submission queue. Since submissions are presumably made using TCP connections, they can't be made using spoofed IP addresses, so itrace would not be helpful.

  • Funny, I don't recall seeing an amendment guaranteeing you a "right to privacy."

    I seem to remember something about unreasonable search (and something else which I can't spell and isn't relevant to this point). Isn't that essentially a right to privacy?
  • Hello? This is the IETF, not the government. Itrace would only be implemented by people setting it up on routers they own or operate. Some people seem to be under the impression that because the government cannot infringe on their free speech or privacy, their ISP must let them do whatever they want.
  • Actually, it IS possible to IP spoof with TCP, though it's rather difficult to do anything. You basically send a TCP SYN to some site spoofed as coming from an IP that's not going to respond (and result in the connection being refused). You then assume the server is going to send a SYN/ACK, so you wait a bit and then send an ACK and poof, the connection is established. The only thing you can do from here is send information TO the system, since any information the system tries to send you will be sent into oblivion (a non-existant system), but this could easily be used to buffer overflow a system and either crash it OR prepare it for being hacked. Which is why these itrace packets might be useful for TCP as well as UDP/ICMP/any other IP-based protocols.

    -- Sig (120 chars) --
    Your friendly neighborhood mIRC scripter.
  • Well obviously... But that's impossible to defend against. You need to find the source of the DoS, and then contact them, and get them to find out how the attacker is using their box.
  • I completely agree that there are legitimate uses for anonymity. But I can't think of any legitimate reason for spoofing your IP address.

    Maybe I'm just dense, but it looks to me like the Itrace proposal in no way compromises anonymity, but instead defeats (or tries to defeat) IP spoofing. And I can not see any good reason why this should be considered a bad thing.
  • 3. Well when she script kiddies use certain distributed flood tools, they initiate the DDos attack by sending a few spoofed packages to the *infected* machines. Wouldn't it be interesting to trace the actual culprit as well, instead of just the victims?
  • First of all, if you read the article, only one in 20,000 packets directed towards a target gets logged. This is hardly every packet. Second, and probably more importantly, the cost of this upgrade in equipment and deployment is immense and is certainly not imminent. It stands to reason that companies with a lot to lose from a drawn out DoS attack would seek to protect their investments by adopting a technology that protects themselves. This type of protection is necesary if the fear of this type of attack is ever to be alleviated though. Perhaps a better alternative to tracing all the way back to the source might be the end station notifying routers along the routes it knows that this attack is taking place, and the routers could simply refuse to forward the packets from this source for a specified period of time. Think of it as a sort of anti-DoS protection that secures anonymity. Once again, this would be very costly to implement and is going to find much resistance from anyone who just bought that shiny new Cisco router. Perhaps an IOS upgrade could be done to achieve this without requiring new routers...
  • For all the peoplw who whine about 'privacy'.
    There was never any guarantee on the internet htat people couldn't trace where packets were coming from. The fact that IPv4 allows forged source addresses... well.. there was simply no need to check them.

    Why would people have a problem with this? It means if you send spoofed packets, the routers along the way can *still* figure out where the hell it came from (instead of having an admin at each hop do the trace manually).
  • by AshPattern ( 152048 ) on Thursday July 27, 2000 @03:45AM (#901834) Homepage
    A friend and I were trying to figure out how to trace the DoS attacks ourselves, so I came up with an idea - why not use some of the unused space in an IP header to store the ip address of the edge router? With that system, the evil Cruft couldn't send a single packet without having a real ip attached to a geographic location.

    We were going to write an RFC and become famous.

    Then we found that it was already covered in an RFC, already in the IP protocol as the "Loose Source and Record Route."

    Force router companies and ISPs to use that particular header option, and the whole accountability problem is solved while preserving anonymity.
  • If you only send a few packets like a normal human being you won't be particularly traceable. On the other hand, a massive download is going to be quite traceable and therein lies and important question from the point of view of anonymity.
    FALSE. Even ONE packet is going to be tracable, unless you're using IP spoofing. Furthermore, IP spoofing can ONLY be used to SEND information, not to RECEIVE it (and thus, NOT to "download"). You see, when you are downloading, the server is sending you data. In order to send you data, it needs to know where you are. Thus, you tell it your IP.

    IP spoofing can ONLY SEND information. Its only use is ping flooding. It can't be used for HTTP (web sites), FTP, NNTP (newsgroups/USENET), SMTP or POP3 (email), or anything especially useful I can think of. All of the protocols listed above use TCP, which requires a two-way flow of information (TCP is based on *connections*, which require information to flow both ways -- they will NOT allow you to be anonymous, unless you have an anonymous proxy. Anonymous proxies are unaffected by ITRACE).

    I'm of two minds about it. On the one hand, I am a big supporter of the principle that the only way to gaurantee freedom of speech on the net is to have technologically-enforced anonymity.
    Well, the internet does NOT have that right now. There is NO way to receive information anonymously, on the internet. The only thing you can do is SEND it, and even then, the fact that you're sending it is ALREADY OBSERVABLE, it's just not being LOGGED.
  • Thats okay. I forgive you.
    Bowie J. Poag
  • by TheZombie187 ( 208516 ) on Thursday July 27, 2000 @12:40AM (#901837)
    ISPs can solve the spoofing problem RIGHT NOW with tools available today: egress filtering. The ISPs I run have egress filtering on ALL routers (border and internal) so not a single internal host can send a packet unless the source address is at least within the same subnet. Makes more sense to me than inventing another ICMP standard which requires all router manufacturers to update their software, and all ISPs to upgrade to the newer software.
  • I could not tell it better.
    Thanks for bringing some light on that privacy whining.
    Funny how the whining people just complain to their ISP when their ISPs are under attack, but they certainly dont want any new technology to solve that problem, in the name of "privacy".
    Yeah, you need to give some of your privacy away if you wish to also get a way to trace back abuses to the source.
  • Every time I log on to my ISP I'm assigned a different IP address and I'm willing to bet that they don't keep a log of these.

    How much are you betting? I could make some easy money here :)

    Email your friendly ISP and ask them what connection details they keep, and how long they keep them. Hint: Your username & the IP assigned to it, date, time, and connection time, are all part of it...
  • And countries can solve the DOS issues by better educating their pupils.
    Easier said than done.
    Try to reach each and every tech which ever had configured a router, and explain him.
  • Most decent dialup hardware is 100% digital anyway, so you have equipment sitting on ISDN lines capable of answering ISDN calls but serving up analog connectivity as well, so ALL calling numbers are available and can be logged or used in the fashion you mention. This level of logging is a common practice among most responsible ISP's.
  • I have never been bothered by a cop in NY. But then, I'm white and don't skateboard. :rolleyes:

    Seriously, if you don't like it, move. Personally I'm GLAD that crime in NY has gone down so much. The racial profiling certainly needs to be toned down a GREAT deal (Diallo is a tragic example of this), but other than that I have no complaints about the NYPD.

    Thank you.

    4920616D206E6F7420656C6974652E
    Remove the obvious to email me.
  • Hey, you're welcome. I sorta got tired of having a 60+ Karma rating.. I've managed to drop it down to like 30 or so within the course of just a few days just for fun. :)


    Bowie J. Poag
  • Rolling out itrace would be a lot easier than setting up egress filtering for many medium sized ISPs - as when you provide transit for other providers the access lists required can quickly grow very large - and can fluctuate regularly, so just keeping them maintained can be a tough job. Itrace would probably just mean typing "service itrace" on a cisco and then keeping half an eye on the logs.

    I work in the industry and it scares me when I talk to the techs at other companies and they have no idea how their network works - they've just cobbled it together from other people's suggestions without any real understanding of why they're doing things...

    I wholeheartedly agree that egress filtering is needed to stamp out spoofing though - itrace only gives a method of tracing an attack back once it is underway - egress filtering would mean it would never start in the first place.

    If only cisco would enable an optimised easy to configure egress filtering service :)
  • Name one, then abandon TCP and use it to do all the things you do on the internet

  • Seriously now, considering that every packet has a source and destination IP address, adding some instrumentation to verify that source addresses are not spoofed has zero impact on privacy.

    It does raise the bar, so the next steps in the cat&mouse game include ever-more-diffuse distributed attacks to avoid more ever-more-watchful intrusion detection and traceback mechanisms. Is that a bad thing? No -- it is a good thing to make successull attacks more challenging.

    A little more background reading:

    Stefan Savage, Practical Network Support for IP Traceback [washington.edu] a technique for tracing, but requires a little packet marking/mangling which makes it unlikely to be adopted. Clever, though, I'm sure some of the ideas will fold into itrace.

    Robert Stone, CenterTrack: An IP Overlay Network for Tracking DoS Floods [nanog.org] A tool for ISPs to build monitoring networks without making every component cooperate. Hmmm... I wonder if Carnivore has remote tunnels built in?

    Other efforts in traceback involve perturbing the source of floods (e.g. by hop-by-hop reverse flooding) and watching the statistical properties of the flood at each step.

  • Read /. recently? After a k|dd|3 is in any simple r00tk|t can erase his actions from the logs. If the admin was a dork for letting him in in the first place & firing his DoS without noticing him (remember; I was the one warning them about it) I doubt he is capable to track the kiddie down. Any moron would notice the loss of bandwith IMHO.
  • 2.you send massive amounts of data. The itrace message is only sent for every 20000 packet. That is flooding.
    Or uploading a large file over a reasonably fast connection to someone else with an equally fast (or faster) connection :)


    -- Sig (120 chars) --
    Your friendly neighborhood mIRC scripter.
  • I'm not talking about logs (and even so, the percentage of hax0rd boxes that are truly without logs or other evidence of intrusion are probably smaller than you think).

    I'm talking about real-time monitoring of network traffic and system usage. If someone's able to track the source of the attack back to a hax0rd system, all the competant admin has to do is fire up a packet sniffer, protected netstat-type utility, whatever, and figure out where YOU are connecting to this compromised machine. Since this connection is unlikely to be spoofed, the source address is guaranteed, and he can proceed to contact *that* ISP. Repeat if necessary.
  • This seems to be an application of the technology described in that one paper on storing trace information in packets in a backwards-compatible way, that slashdot had a while back. I now can't find the article. Some guy described the whole process of how one could squeeze the information into unused parts of packets.
  • Actually spoofed packets are useful in not-so-evil manners.

    Well, tough. I'm afraid current internet practices of simply disallowing fake source packets will quickly render your protocols unusable.

    Note that there are already other ways to send stuff anonymously, for example using onion routers. The freedom program by zeroknowledge [zeroknowledge.com] uses this technology, for example.

  • The majority of people don't commit murder. Therfore, there is no need for police.

    Right on. I'm sick of all these politicians promising to "put more cops on the streets." This is the last thing we need. The only thing cops do is shoot innocent black people and bother skateboarders in the mall. They have more rights than normal citizens, and can (at least in New York) do pretty much as they please. And there are so fucking many of them.
  • For itrace to become useful, it has to be installed near DoS-ing hax0red boxes, and/or near the script kiddies.

    Currently, these DoS-originating locations can stay anonymous if they can spoof their IP address, that is, if the connecting ISP didn't install proper filters to protect against spoofed addresses.

    So before itrace can become effective, these already clueless ISPs must be persuaded to upgrade their hardware. These are the same ISPs that currently don't install IP spoofing filters, even though that has been recommended by various organisations for years now.

    And given the fact that there are still some remote locations that are so outdated that they don't understand CIDR routing, I expect it to take much longer than 18 months for itrace to become effective against all spoofed IP addresses.

    Maybe we should stimulate the major router vendors to give away OS upgrades that include itrace for free :)

    • No section of the constitution or the US code allows you to form your own militia and claim the right to carry a gun.

    So from the tone of this can I correctly infer that you believe the government should take guns out of the hands of law abiding individual citizens? Let's only let the criminals have the guns? Or are you one of the Rosie O'Donnel thinkalikes who believes nobody should be allowed to have guns except you or your body guard?
  • by martin ( 1336 )
    I thought IPv6 had something like this built in..or am I talking out my hat as per usual?
  • The majority of infamous DDoS's are against webservers, but don't rely upon the site running a http daemon. A large number of DoS attacks are attacking the host machine and it's TCPIP implmentation, eg SYN attacks, ICMP ping floods being echoed off of subnets.
    Fixing webservers will not stop DDoS attacks.
  • I believe (I read the article yesterday) that they mention that a menthod of verifying the iTrace ICMP messages will be developed (some sort of PKI perhaps?)
  • So now every single packet I send can be traced back to me. If I posted this as an AC, it would be possible for law enforcement to floow the leads back from slashdot all the way to my PC.

    Thats scary in itself, but since these DOSers hack into machines that might be on the route, with trce software installed, THEY can also find out who I am. They could even fake those logs to make it look like I was responsible for something I didn't do.
  • Name one, then abandon TCP and use it to do all the things you do on the internet

    Are you trying to make some kind of point here? I simply said that TCP was not essential for a DOS attack, not that you could do everything on the Internet without it.

  • Dude, you can't browse the web using IP spoofing. You *ALREADY* need to divulge your IP to use any TCP service. That includes SMTP/POP3 (email), HTTP (web), NNTP (newsgroups), FTP, IRC, Telnet, Ssh, and *MOST* others. Furthermore, even most UDP protocols send data both ways, and IP spoofing can only be used for SENDING data, not RECEIVING it.

    Most people don't use IP spoofing anyway. However, you can always use an anonymous proxy service, such as anonymizer.com. So what have we learned? (1) No privacy has been lost here, (2) you had no privacy in the first place, (3) you can GET privacy if you really want it, through proxying, which ITRACE cannot affect.

  • As far as I can tell after reading the article and the proposal, this doesn't seem to have any significant effect on anonymity for the most part.

    A quick summary of the proposal as I understand it: Routers that supported this feature would after sending a data packet, randomly also send an itrace packet to the destination, containing the previous and next hop. The TTL in the packet would always start at 255, so it would be possible to determine how far back along the path the router that sent the itrace message was. Additionally, there would be an authentication system to ensure the veracity of the itrace packets. The IETF proposal suggests that the chance of a router sending this packet would be about 1/20000.

    This doesn't affect anonymity. It isn't possible to determine anything more with this system than you would be able to normally, unless the IP address is spoofed. With a spoofed IP address, you might have a chance of determining the real originating host; with a valid source IP address, such a traceback would likely be available with a simple traceroute. Additionally, the packets are only sent randomly and occasionally, so the chances of a packet being sent are pretty low unless you're sending a lot of packets.

    What I'm not sure about, however, is how effective this will be. If the chance of an itrace packet being sent is only one in twenty thousand, how many data packets would need to be sent in order for the destination to receive a complete trace back to the source. Obviously, in most typical DoS attacks, lots of packets are sent. Would this be enough, or would itrace only be effective for the largest DoS attacks?
  • Blockquoth the poster:
    I'm stirring a little, but I get tired of people pouring their bleeding hearts over rights in the internet arena that they lost in other arenas years ago.
    Fair enough. Some of us get a little tired of the sheep who decide that a loss of freedom anywhere justifies a loss of freedom everywhere, or who think that the fact that things have gone wrong somehow makes it right that they go wrong. I find it one part funny, two parts sad when I see people scoff at the notion of a "slippery slope" ... then make arguments like the above to justify giving up.
  • I don't see how this can work. Every time I log on to my ISP I'm assigned a different IP address and I'm willing to bet that they don't keep a log of these.

    They do. I'm sure there are some exceptions, but not many.

    That's how they identify people violating their acceptable use policy (spammers, script kiddies, etc).

    They are able to track undesirables without the help "itrace" because practically all non-DDoS activity requires legitimate source addresses on the packets in order to complete the TCP three-way handshake.

  • Some time ago, someone at Ars Technica [arstechnica.com] posted a similar idea. I didn't find the artice anymore, but if you have some free time, try and find it as it was very interesting.

    Paranoids of the world, unite!

  • Dude, the internet does NOT allow anonymity. In order for you to RECEIVE any information (such as a web page), you need to divulge your address. This is the same principle behind which you must divulge your shipping address if you expect to receive packages. ITRACE doesn't take away any anonymity from average people who don't use IP spoofing. It makes IP spoofing harder. IP spoofing makes the internet worthless: you can't use it to visit web sites, you can't use it to send email, you can't use it to go on FTP sites, you can't use it to telnet, etc. It prevents you from receiving ANY information. It's the electronic equivalent of putting a fake return address on a letter. It prevents two-way communication.

    That's why NOBODY but crackers use it, NO operating system supports it natively, and NO protocol works under it. Its only use is cracking.

    Furthermore, anonymous proxies -- which are already the only way to be both anonymous and useful on the internet -- are unaffected by ITRACE. NOBODY lost any privacy here, except crackers.

    It's unbelievable how many people on slashdot do not understand basic networking principles!

  • I know but the itrace solution requires every tech which ever had configured a router to upgrade that router anyway, which leads me to my point that there IS a better solution out there, that can be used already, but nobody is, so why waste time inventing a new one, that is not as effective and even less likely to be implemented?
  • by Lion-O ( 81320 ) on Thursday July 27, 2000 @12:56AM (#901867)
    Sounds kinda nice but let me get this right; I'm tracing the origin of the DoS flood. In other words; this will lead me to one of the, in most cases, many servers which are sending me this flood. What good will that do me? Sure, I know which company has a h4x0r3d server and I can tell them that their server flooded me but this won't resolve the issue. C'mon; there are millions of servers out there. If I can trace one and even let them shut it down the script kiddie can have 5 others in no time. Happy tracing!!

    No, I've said it before in an earlier post; the only way to solve this IMHO is to let the Hosting providers come together and setup a guideline / rule for all servers being hosted. If they don't meet the security limits its either done for them or bye bye. When these people will stop thinking about money all the time and also give a little bit more consideration to the Net our troubles would reduce enormously.

  • First of all, the amendment related to guns is the second. Next, that amendment does not give you as an individual the right to own or carry a gun. It gives the states power to arm their militia. By law, this means the national guard. No section of the constitution or the US code allows you to form your own militia and claim the right to carry a gun. This view has been consistantly upheld by the Supreme Court, most directly in US v. Miller, 307 US 174. For a more in-depth analysis, see The Politics of Gun Control, Robert J. Spitzer.

    Read Miller again. Miller lost the case because a sawed off shotgun is not a weapon with much military value. There is even some language that infers that 2nd is an individual right.

    Also check out US v Emerson which is now before the 5th Circuit. Judge Sam Cummings ruled it an indivual right and it looks like the 5th Curcuit is leaning that way. The whole issue could be before SCOTUS next year.

  • If itrace sent one traceback packet for each packet that passed through a router, it would far more than double the effectiveness of the DDoS - For every packet that went from source to destination, a new packet would be generated for EVERY HOP! Of course, this is a moot point, since it's only one out of every 20,000 packets that goes through a router. (Of course, this means that if you have 20 hops, a traceback message will come from somewhere in the route every 1000 packets or so...)
  • What keeps a script kiddie from sending spoofed itrace packets implicating every machine on the planet from a comprimised machine?

    If you read the article, it addresses this concern:

    "ISPs face the cost of upgrading their routers to support itrace, and also the cost of developing the public-key infrastructure required for traceback message authentication. Without fail-proof authentication, hackers can create bogus traceback messages to accompany their denial-of-service attacks."

  • #define PACKETS_TO_TRACE_PER_20000 1

    moderating today from redmond.corp.microsoft.com

  • Just the opposite - The DoS packets are spoofed, because they only need to go one way.

    As has been pointed out numerous times in this article before, THIS DOES NOT AFFECT TCP STREAMS! If you have a TCP connection, YOUR IP IS ALREADY KNOWN! You cannot combine spoofing with the ability to recieve data. If you want to remain anonymous, use an anonymizer proxy, which itrace will not affect.
  • I hope the writer of the article is confused. If you put your trace messages in separate packets, you'll only be able to trace the DOS as far as the relector machines. That's useless -- we know who the reflector machines are already. If you put the trace message inside the packet payload packet, you've got a much better chance of tracing the entire path without having to ask the guy at the reflector machine to get involved.
  • by dingbat_hp ( 98241 ) on Thursday July 27, 2000 @04:39AM (#901874) Homepage

    You're falling into the trap of the Politician's Syllogism:

    • Something Must Be Done
    • This is something
    • Therefore this must be done.

    Aren't you posting from the UK ? Right now the UK has the unedifying spectacle of a government simultaneously imposing draconian anti-privacy measures in the RIP bill [stand.org.uk], yet also having their own secrets exposed by "Benji the Binman", owing to their own complete lack of understanding on basic infosec (shred your rubbish).

    We already have many defences against DDoS attacks. The best one is installing Clues in the admins of bozo ISPs (not forwarding RFC1918 is a damned good start), but more robust inbound routing helps too (stateful packet inspection still isn't commonplace, yet it kills things like SYN flooding). We can fix this. Sure, It sucks today, but let the geeks work it out and we'll get the holes patched.

    So what are you suggesting instead ? Modem Licences, to go with the Modem Tax rumours you recall so fondly from the Net 10 years ago. The infrastructure is flaking, there are too many cluephobes jumping on the ISP bandwagon, yet you want to start beating up on the users ! I'm sorry if AOL doesn't meet your standards of intellectual superiority (are you a Mensa member too ?), but their cash is as good as yours or mine, and they've just as much right to be here.

    If I walk into my local pub and behave like a jerk I'll be thrown out. Cross the road and the same behaviour is accepted as normal; different pubs, different communities, different standards of behaviour. How is your "global net access" going to support that ? I don't want Kansas fundies telling me that evolution doesn't work, and they probably wouldn't want me offending their local ordinances either.

    Don't like Grits with your Slashdot ? Lets make moderation work better. Virtual Communities are still a pretty new concept, and we're going to have to learn how to deal with the odd Mr Bungle or BeerGuy.

    Personally I think an age limit of 32 is about right. Keeps off the people who don't remember uucp and real netiquette. How do you like that idea ? 8-)

  • This is not an attack on anonymity. Go read the actual IETF draft. You will see that the only thing it helps with is tracing back packets with SPOOFED originating IP's.

    This will help prevent things similar to the attack on kuro5hin. Unfortunately, if attackers are using compromised machines, all it will (or can) do is help to quickly find the real IP addresses of the machines that have been compromised. You see, someone doing a denial of service attack right now can cause the servers they are using to output IP packets that look like they are from somewhere else. When those packets arrive at the target, 10 hops later, it is nearly impossible to find the real machines that is causing the attack. That's what this proposal solves.

    This has nothing to do with eliminating privacy or anonymity. Every time you connect to a web site now, they can find out the IP address you are coming from. Duh! How else can they send the web page back to you??? If you spoof your originating address, you cannot have a two way conversation.

    IP source spoofing is ONLY useful for denial of service attacks, and that is the ONLY thing this proposal addresses.

    The so called solutions you are advocating, like restricting access to the net would be far, far worse for invading privacy. Think about it... how are you going to make sure that only "authorized people" use the internet? Well, you will have to identify all of them. With examinations, meeting criteria, getting what is equivalent to an "internet license"... well damn, there goes privacy! Just like anyone who sees your license plate on your car can find out who the car owner is. No privacy there either. Did you think about this?

    The IETF proposal is not a perfect solution. You are correct that there probably isn't one. However, it is a good one and 100% better than your suggestion.


    Torrey Hoffman (Azog)
  • Is IP spoofing really that valuable to you? Or do you just not know what you're talking about?
  • I agree that this new proposed system does not really pose a threat to privacy in the net (unless you're a skript kiddie). However,

    They're not complaining about the postmark on their snail mail

    Just as it is questionable to say that the traditional means of bootlegging music (copying a tape to friends for instance) are similar to Napster, you really shouldn't compare e-mail with snail mail/phone privacy either. Once again it's a question of scale: what you can and cannot do with reasonable amount of effort. In the meat world it's much more difficult to keep track of person's mail and whereabouts and that's why extensive and continuous surveillance has been conducted only on people who are already under suspicion. However, in the net it is much more easy to track a person and -- more importantly -- to do exhaustive searches for suspicious (whatever that happens to mean at the time) correspondence. To my mind this would correspond in real world terms to the authorities opening and reading snail mail at random in order to look for evidence of crime.

  • I think it is impossible for whoever should enforce this restriction to check on everybodies age or whatever restrictions one can think of. Besides, if they could do that, they would need far more information about you than they can ever get over the net.
    This alternative is far more intrusive than the original idea.
  • 2000-07-26 09:01:57 The end of ddos? (articles,news) (rejected)
    posted yesterday but rejected...
  • by DrWiggy ( 143807 ) on Thursday July 27, 2000 @01:00AM (#901880)
    This attitude always makes me smile a little. People assume that the Internet is currently anonymous and that technologies like itrace will somehow throw that anonymity away. The truth of the matter is, is that currently if you use the Internet in a normal fashion whereby you are receiving data, you are traceable. If you want anonymity then I suggest you use an anonymizer - it's what they're there for.

    Also, if you had read the article fully you would have realised that not every packet you send will be traceable - only one packet in 20,000 will cause a traceback message. This means that normal activity is unlikely to cause many traceback messages, whereas a full-on DoS will get spotted easily and be traceable. This is important because if every packet caused tracebacks, then a DoS would be twice as effective (think about it).

    And lastly, we come to the fact hackers might be able to spoof tracebacks to make it look like it came from you. Again, if you'd read the article you'll realise one of the technical challenges in implementing itrace is the PKI platform that will have to be built for authentication purposes, to ensure spoofing of these messages is not possible.

    --
  • can anyone tell me why it is taking so long? What are the problems, etc... Where can I find information about this?

    Thanks in advance

  • You don't really lose anonymity. If you use the internet in a normal way, everybody can trace the traffic you generate back to you because the source ip is in the packets you send. You're never anonymous, whether you like it or not.

    If you're doing a DOS attack however, you just replace your ip with a bogus one, and send tons of those packets to the poor target. Since the source ip isn't yours, you're not really traceable ICMP traceback will get you anyway since they they'll find the machine the packet originated from, whether the source IP matches the machine's or not.

    The largest problem however is still catching the attacker. Catching a simple cable user will be easy because there is only one person involved. If it involves a machine which is used by multiple users, there is no way to say what user did the attack. The article also states this point. And hacking routers to fake logs? They can do it right now by hacking into your ISP's server machines and change log entries that involve you.

    I wouldn't worry too much about your anonymity. Your situation won't get worse, unless you're into DOS attacks, and then still... they found the machine you used, which you might have cracked too...

  • You're absolutely right, that was a bad example.

    I think that the reaction to the alleged "loss" of privacy on the net is a little extreme given the cost that privacy is beginning to create. I can live with people being able, provided it is not *too* easy, to get an idea of what I'm browsing, if it means that I can continue browsing it. If the cost is such that 15-year-old jerks with nothing better to do than get cheap thrills breaking things are taking away the services I want to use, then in my humble opinion, the privacy has come at too high a cost.

    I don't like making the tradeoff, but I'd rather have a service that was not completely anonymous than be able to anonymously participate in a medium that has been reduced to complete uselessness.

  • So routers send ICMP messages about packets they pass on? Well, can't you just flood the target with ICMPs faked itrace-ICMPs, how exactly are the victim supposed to be able to tell which ones are real and which ones are not? And the routers can't really send these itrace-ICMPs about an ICMP, since there is this rule about not sending ICMPs about ICMPs, right?
  • Discarding all incomplete requests can solve most problems. One packet is enough for almost any http request. Oh yeah I know there're long cgi-bin requests but these could be handled somehow different.

    Every secretary using MSWord wastes enough resources
  • by Azog ( 20907 ) on Thursday July 27, 2000 @04:51AM (#901886) Homepage
    The itrace packets will have an authentication section. Read the ietf draft, it explains some of the possibilities.

    At any rate, spoofed itrace packets will be detectable.


    Torrey Hoffman (Azog)
  • Well - additional IPv6 info is available all over the place - try starting at IPv6.com [ipv6.com] or the IETF IPNG Working Group [sun.com]. The 6Bone is a network of Internet hosts running IPv6 already, and there's a transition planning working group [6bone.net] that's arguing, er, discussing, the transition. UNFORTUNATELY, their schedule/roadmap on the transition planning page ends at March of 2000, with an entry to evaluate the state of their roadmap.
  • I am not an ISP or have experience in any of these ways, but is it possible to perhaps have a hostname alias that the ISP attaches when you connect on that will allow for better tracking of dialup accounts? Say something like:

    john_doe.dialup.isp.com

    which can/and would only be assigned by the ISP.

    For that matter, can't they tell who is dialed in at any particular time, presuming they are logging all the appropriate information?

    BreezyGuy

  • At least with names consisting of "i"+$propernoun (like "iMac"), while they violate every convention of capitalization in English, that odd capitalization at least gives some clue as to their pronunciation. Have we really devolved to the point where any word that appears on the internet that has an "i" in front must be pronounced with a long "i" separate from the rest of the word? Didn't someone realize that this coopts the single most used word in the English language in the process and renders it a mere idiot prefix? At least when companies did this with "super", that was a normal adjective.
  • Please. You'd just step back to the days of wardialing and hacking accounts again, that's all. I actually used to PAY for a shell account that had to be accessed over a hacked link, due to no local dialups 10 years ago. People WILL find a way. Sript kiddies will dust off ToneLOC and be back on the net, probably before you or I finished our licensing tests. There is no perfect solution, to be sure, either we give up some privacy, or, as you say, get licensed.

    Problem with getting "licensed", is that we'll have to give up MORE information that way anyhow. Aside from the enforcement angle, making sure that everyone on the net has their proper license, it would get real messy real fast, end up with the worst of both worlds.
  • by Coz ( 178857 )
    The 6Bone [6bone.net] already exists, and is being used to hammer on the protocol and work out the kinks, plus figure out how to let v4 and v6 coexist.

    That crisis point you talk about is coming - just wait until all those new top level domains come on line and folks start realizing we're almost out of IP addresses (and given the trend of new IP allocations, we're lucky if IPv4 lasts another 24 months). IPv6 isn't something ISPs and the backbone will move to voluntarily (with a few farsighted exceptions) - it's going to be one of those gun-to-the-head-of-the-business situations that makes life so enjoyable for us spectators.

  • "Well firstly we need some kind of age limit"

    Not only is that completely unethical in my opinion, but also unconstitutional where I come from.

    "there is a lot of offenisve [sic] material out there that we don't want our kids seeing" - Speak for yourself, buddy.

    "to people mature enough to take responsiblity for their own actions" - I know plenty of people over 18 who don't fit this mould.
  • The article says deployment of Itrace will take 18 months anyway, so why not put that money and effort into upgrading the infrastructure for IPv6 instead?
  • We can't let take them our right to privacy too.

    Funny, I don't recall seeing an amendment guaranteeing you a "right to privacy."

    Ninth:

    The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.

    What you may be unaware of is the fact that there were many people who argued against the Bill of Rights for the very reason you've illustrated: they claimed that it would have the result of effectively restricting what Rights were actually protected because they didn't name them all (After all, in their view, Rights are intrinsic, they can't be granted, they can't be taken away. Everything else is privilege). Amendments 9 and 10 were written to counteract this, but I'm not so sure this was effective. After all, how many cases do you know of that reach the Supreme Court under 9th and 10th amendment claims? They may be there, but they are certainly overlooked by the public.

  • by akey ( 29718 ) on Thursday July 27, 2000 @02:00AM (#901902)
    I'm sick and tired of good intentions being used to defend bad plans.

    Uh, sorry. No. The internet as we know it was built on a large number of assumptions, many of which are simply no longer true. The largest of these assumptions is that there was no reason for built-in security, since the only people using the network were academic types -- and it was true that the various institutions could generally trust each other. But as the network became more open to the public at large, the old assumptions begin to break down. This plan is attempt to fix a single problem in an inherently bad design. Get over it.

    ---
  • That was considered, but has the problem that an attacker can generate packets with phony route recording info already present, preventing the addition of new data.
  • Actually spoofed packets are useful in not-so-evil manners. I'm working on an anonymous file transfer protocol that depends on the ability to hide the return address. That is you, can send a file to someone without them knowing where it came from or trace it back to you. There are two levels of anonymity :

    1. You send packets directly to the target host using UDP with a spoofed return IP address of 0.0.0.0. This method can work to receive packets from behind a firewall with a SOCKS 5 server. Since this doesn't use ICMP it's not effected by itrace.

    2. You send packets inside of an ICMP message to a random host on the net. The ICMP return address contains your target host. This is the most secure method, but you could end up pissing off some unwilling participants. You can reduce this by spreading the packets across a lot of host.

    The astute reader will note that both methods use lossy transmission (UDP and ICMP). So a communication channel must be setup where the target can report lost/missing packets. Since this protocol is specific to file transfer, lost packets don't need to be reported individually and so they are clumped together and passed around a chain of computers (ala a gnutella-like network). The sender eventually gets the updates and resends the remaining packets.

    Itrace could possibly effect method #2 making it more easy to trace a packet back to the source. But it really cannot isolate the sender to more than a subnet unless it is installed everywhere. There is too much equipment out there now that will never be replace to make this a reality.
  • Some points:
    • This has no privacy implications. All useful IP packets have valid source addresses, so you know where they came from. With an invalid source IP address, you'll never get an answer, and can't open a TCP connection. All this affects is packets with forged IP addresses.
    • It's a sampling system. The recommended sample is 1 in 20000 packets. Until someone has sent you substantially more forged packets than that, you won't be able to trace them. So it's useful only against massive denial-of-service attacks.
    • It won't help much in finding systems on LANs. It will identify the LAN's router to the outside world, but unless the LAN's router fully supports Itrace with reverse Ethernet lookup, it won't identify the source machine.
    • Effectively, this means you'll have a box or router feature that reports the sources of major IP source spoofs. It doesn't provide any means of dealing with the problem. It tells you whose hacked system needs to be fixed, and where their upstream router is so they can be disconnected.
    • It's not automatic. There's nothing in this that actually stops an attack.

    So it's a useful first step, and the one that has to be widely deployed before anything else can be done. Good work by the IETF.

  • by Zaffle ( 13798 ) on Thursday July 27, 2000 @01:28AM (#901913) Homepage Journal

    Before going off and critising this, take note of these two points:

    1 in 20,000 packets will be affected. So its not as if every packet you sent is affected.

    All it does is send the what the router knows of the packet to the destination.

    In other words, if you are surfing slashdot, every once and awhile, slashdot will get a itrace packet saying that 1.2.3.4:1234 destined for slashdot.org:80 was routed through me.

    However, if you are surfing slashdot, then slashdot ALREADY knows your ip address. This only affects you if you use spoofing to send packets out. And remember, spoofing is (basicaly) connectionless. You can't connect to a website and get a page (or ever request a page) with a spoofed IP address. You can only send out individual packets that have a spoofed from address.

    So, how does this affect my privacy? Well, if I do lots of DOS attacks, or spoofed portscans, then occasionaly the site I'm attacking will find out some of the routers I'm going through. If I'm a regular joe blogs, surf porn sites on company time, and generally do things I don't want the public to know about, then some of the places I visit will find out occasionaly which router I go through. However they can get this information really easily via a standard traceroute.

    So in the end, it has VERY LITTLE affect on privacy, except of those who are trying to spoof their return address (And spoofing your return address is 90% of the time used only in attacks. (Occasionally it could have a legitimant purpose, but if it did, then you shouldn't care if the other site figures out who you are)).

    As far as I can see, its generally a good thing(tm), though they'd better get the authentication right, else it will become useless.

    Oh, thats one thing, if the authentication isn't good enough, then you'll be able to fool some sites into thinking you are routing through a different router. However this only brings us back to square one, no futher.

    ---

  • Actually even though we (I work for a middling-sized ISP) keep radius records of users connections and which POP they access from, It's not because of a privacy issue. Sure I've been called out by the State Police to track down malicious email, threats, harrassing websites, etc... But the primary reason is that way when (l)users call up asking how long they've been on for a month, we can tell them. Also, say they claim they stopped using their account the first week, but we have transactions of that account coming from a different area for the rest of the month, we can tell that the account has been compromised..
    Trust me, as a net-admin, I have far better things to do than run a tcpdump on each of my Ras-boxen to see who's seeing whom's dirty sites.(That's what my cache server logs are for :)) I'd rather spend my time doing more productive things like a recursive grep through the mail logs and forwarding a copy to the offenders parents/wife/etc.... But seriously Radius logs are usually kept for customers who would be the first to complain.... I didn't even USE the account!!!
    but this opens up a whole new can of worms
  • by Minupla ( 62455 ) <`minupla' `at' `gmail.com'> on Thursday July 27, 2000 @01:36AM (#901919) Homepage Journal
    OK, before everyone gets up on their horses....

    Firstly I support internet privacy totally.

    Secondly this inititive does not erode that.

    Read the article, and you find a few things...

    1) itrace packets are only sent approx 1/20000 packets through a router, greatly reducing any traffic analysis benifits from monitoring itrace packets

    2) the packets go to the destination. So only your destination and points between can read the itrace packets, but they can read your packet anyways, so no biggie.

    Ergo, the only time an itrace packet will tell anyone anything more then they would know by looking at the IP header of your TCP packets is in the limited case where the IP address on the packet is forged.

    Now why, you might ask, would you want to forge a IP address? Good question. Remember if your IP address is wrong, no return traffic will reach you. The 2 cases I can think of are:

    1) doing a TCP hijack attack, and due to the probable low volumes (telnet doesn't generate THAT many packets) in the hijack stream the chances of getting caught by an itrace packet is pretty slim.

    2) performing a DOS attack, which is pretty much totally evil.

    3) doing a portscan with a decoy. You might get your fingers slapped here. Lifes a beach.

    So, as far as playing on gnutella, or posting as AC on slashdot is concerned, you don't loose anything to itrace in terms of atonmymity that you hadn't already lost by having your IP address on a packet.

    I hope that clears things up somewhat and avoids a flame or two.

    ----
    Remove the rocks from my head to send email
  • by wowbagger ( 69688 ) on Thursday July 27, 2000 @02:13AM (#901922) Homepage Journal
    What keeps a script kiddie from sending spoofed itrace packets implicating every machine on the planet from a comprimised machine?
  • by Andrew Cady ( 115471 ) on Thursday July 27, 2000 @12:15AM (#901926)
    I'm sick and tired of good intentions being used to defend bad plans. People have gotten away with taking our guns (protected by the Third Amendment) and our freedom of speech to talk about drugs (protected by the First Amendment). We can't let take them our right to privacy too.

    The majority of net users do not conduct DDoS attacks. Therefore, there is no need for an anti-DoS ICMP.
    If you understood the technology here, you would realize that UNLESS YOU'RE USING IP SPOOFING, ITRACE WILL NOT AFFECT YOU. All that ITRACE does is make IP SPOOFING much more difficult. The majority of net users do not use IP spoofing. And the majority of net users who do use IP spoofing ARE using it to do illegal things.

    The ability to know the IP of the person sending you packets is NOT a privacy violation. There are already ways to send information anonymously; what possibly use could IP spoofing have?

  • by Steve Richards ( 211082 ) on Thursday July 27, 2000 @12:19AM (#901929)
    First Echelon, then Carnivore, and now yet another attempt to track the actions of average citizens on the Internet.

    Wait, I thought they said "perpetrators of DDoS attacks".

    Sure, stopping DDoS attacks sounds good in theory, but so does stopping "child molesters" or "foreign spies."

    Uh.... Those sound good in practice, too, I think. Do you have any reasons to the contrary?

    Like we need more information about ourselves being handed out online.

    Like anyone even cares about what you do online. I'm constantly amazed by the number of Slashdot readers that have delusions of government agencies tracking their every move online, reading their every email, and so on. "They" just plain don't care about most of you. Get it? It may be comforting to have these delusions that you are somehow significant, but I'm pretty sure that nobody here is important enough for "them" to care about.

    And then there's the everpresent question of just who "they" are.

    I'm sick and tired of good intentions being used to defend bad plans.

    Well, that's wonderful, but I don't see any good plans coming from you. If you don't like the plan, come up with a better one.

    People have gotten away with taking our guns (protected by the Third Amendment)

    Second.

    We can't let take them our right to privacy too.

    Funny, I don't recall seeing an amendment guaranteeing you a "right to privacy."

    The majority of net users do not conduct DDoS attacks. Therefore, there is no need for an anti-DoS ICMP.

    The majority of citizens do not commit murders. Therefore there is no need for a police homicide unit.
  • For these people, any loss of anonymity (such as a "where did these packet originate" solution) means a serious risk to their lives, while their activity is not at all illegal - it's perfectly ordinary scientific research.

    To perform any meaningful communication, one has to know where a packet came from, otherwise, one cannot reply. Any valid TCP/IP connection is one where both ends know the address of the other end. I cannot see why your students need to send out untraceble IP packets - there's no service that works that way. As for an anonymous high level protocol, like mail, your implemented solution isn't effected by it. Currently, the receiver of the anonymized mail already has to know the address of your remailer - otherwise you won't be able to build an SMTP connection. But that's where it stops - and that's where itrace would stop as well, as that's the end-to-end connection being made.

    -- Abigail

  • I would like to shed another point that could possibly make this itrace ICMP message quite useless, or destructive. Note, I am not an expert on the workings of the ICMP itrace packet. I just know enough of IP and the workings of routing / firewalls / ICMP to see there may be flaws in IETF's planning.

    1. Possibility for using itrace messages for malicious attacks

    Because the ICMP packet is just another IPv4 packet, there is just as likely a risk that the originator can use this packet type as a way to DOS a system, but flooding the system with itrace packets, like smurf(http://www.cert.org/advisories/CA-98.01.smur f.html), etc..

    By opening a new, valid form of ICMP, firewalls that are used to block all non-productive ICMP traffic will have to be changed to block iTrace packets, hence eliminating its use.

    2. The ways to stop itrace from working

    The itrace packet will be susceptible to the same ill's of source spoofing that any other packet could. If one wishes to stop an itrace packet from finding the source that sent to, the originator could send a slew of itrace packets from varying sources, making any response useless.

    3. The effects to routers and IP Stacks

    In order to implement itrace effectively, all IP Stacks and Router software in the world may have to be changed to allow the tracing of these new message types. Firewalls shouldn't have a problem letting them through as long as the ICMP 'type' field can be specified in a filter. If itrace is not implemented directly into the stack, some stacks may throw the packet out as being 'mal-formed', which is another form of network attack.

    4. Firewalls, NAT's, and the risks that itrace poses

    The point of a firewalled system is so that hosts behind the wall will become protected, or even anonymous to the world at large. There are two decisions that network engineers have when the itrace packet is implemented.

    They can let the packets enter the firewall, and run free. This can lead to DOS and smurf like attacks inside the network, and could cause a good deal of havoc. Also, letting itrace packets in and out of a firewall could seriously jeopardize the security of the private network, by using the itrace responses to reconstruct the layout of the internal network.

    The other choice was to block any itrace packets from entering a firewalled system. This is what admins will likely do for security reasons. When a itrace request to find a host enters the firewall, the best that would happen is that the firewall would bounce a negative response saying that the firewall wouldn't let the ICMP message in. The worst is that the itrace message just gets discarded, in which case, the source of the itrace message has no idea why the trace failed.

    5. Changes to IP Stacks and server/router loads

    The problems presented had to do with a system that has been accepted and implemented. This problem has to do with the feasibility of such a system.

    Just imagine a root router. It is pumping out hundreds of thousands of packets a minute. All of a sudden, a spoofed packet enters the router, and the leaves to its next hop, which is a host that the packet is DOS'ing. The router has to know which 'home' that the spoofed packet came from. That means that the router will have to keep track of every packet that comes and goes from the machine, in order to properly route the itrace packet to its next hop.

    Conclusion

    So, now I hope you all can see the ill's that the itrace packet type will lead to in the scheme of things. My best suggestion would be to wait until IPv6, when all routers, firewalls, and IP Stacks will be rewritten. At that time, architects could find reasonable ways around such a problem.
  • by Ice Tiger ( 10883 ) on Thursday July 27, 2000 @01:40AM (#901938)
    This would stop address spoofing right now, all ISP's should implement this. So what are the chances of getting ISP's to roll out itrace if they don't even bother to try and fix the problem in the first place.

    I know I won't be popular here on /. but maybe a few lawsuits against ISP's not implementing egress filtering might change the current situation. Maybe implicating them due to negligence or some such.
  • by Imperator ( 17614 ) <slashdot2@omershenker . n et> on Thursday July 27, 2000 @01:43AM (#901940)
    Your post is such nonsense that I hardly know where to begin.

    So what is to be done? Maybe it's time to restrict who has access to the net. Since services like AOL and CompuServe made it easy for Joe Sixpack and his family to get online we've seen an exponential growth in website defacings, DDoS's and general abusive behaviour. If people were not allowed to access the net unless they fit certain criteria we could reclaim it from the scipt-kiddies.
    <sarcasm>So what is to be done? Maybe it's time to restrict who has access to the roads. Since companies like Ford made it easy for Joe Sixpack and his family to get online we've seen an exponential growth in stoplight-running, wrecks and general abusive behaviour. If people were not allowed to access the roads unless they fit certain criteria we could reclaim it from the infidels.</sarcasm>

    You're confusing causation and correlation. It's also happened since (a) script kiddie tools became widely available, (b) users with significant home bandwidth have become common, (c) non-web media have given attention to, and to an extent glorified, 31337 behavior, and (d) 17" monitors became popular. You further make the insiduous claim that average AOL users are script kiddies; this is a cheap, elitist attack that doesn't in the least help your argument: AOL users aren't anonymous.

    What criteria would be appropriate is the next question. Well firstly we need some kind of age limit - 16 or 18 would seem appropriate since there is a lot of offenisve material out there that we don't want our kids seeing. It would also restrict the net to people mature enough to take responsiblity for their own actions, which can only be a good thing.
    <sarcasm>Right! What we also need to do is restrict libraries to adults 18 years of age or older. We don't want our kids to read about bomb-making until they reach the age of 18 and are magically wise. There's so much offensive material in the library, after all.</sarcasm>

    Secondly there should be some kind of examination process to weed out those people who aren't desirable. This should allow us to ensure that people know to be polite and would also allow us to teach people things like "don't open every attachment you receive in the mail" which would make everybody's life better.
    <sarcasm>Another great idea! Let's create some powerful organization to kick impolite people (by their judgment) off thenet. Also this organization, which everyone would gladly accept, would be empowered to remove inferior users. All the nations of the world would unite behind a plan to make the Internet available only to the master race.</sarcasm>

    Seriously, why are you so intent on kicking off users? It's childish and vindictive behavior. It's neither practical, nor IMHO desirable in a free society.

    --

  • This itrace crap will be used for legitimate traceroute type stuff and I imagine for network mapping also. Anyone have any ideas on how this can be used in a sysadmin's network toolkit (besides finding DoS attacks)?
  • Isn't that what driving licenses are for? I'm suggesting a similar thing for the net. You wouldn't let your 5 year old son drive a car, why let him online? Both are dangerous in their own ways.
    Perhaps a better analogy would be a library or a sidewalk. I wouldn't let a 5 year old son read any book or cross the street alone, but it's not all or nothing.

    What have AOLers ever added to the net? Even if they're not all hackers and script-kiddies, they're certainly a drain on bandwidth. Remember how the net was ten years ago?
    Yeah, I remember. It was small, and hard to find information unless it related to Unix or particle physics. AOL users have added a tremendous amount of content. While it's possible that the content contributed by the average AOL user is not as high as the average non-AOL user, the net ten years ago isn't something I'd prefer to return to.

    If you were in a restaurant and someone starting kicking tables over, they'd get thrown out. Same principle. Besides, prevention is always better than a cure, and it is prevention that I'm in favour of.
    Script kiddies do get kicked off. However, the Internet is not a restaurant. A restaurant has a single owner or manager on location at all times. The net is more like a public square. If someone's committing a crime, they'll be removed, but if someone isn't contributing anything to the public discussion, no one advocates that they be forced out. (Nor must you be 18 to be seated at a restaurant, or participate in the public square.)

    --
  • Correct me if I'm wrong, but from the article, we're looking at a best case of two years before we see this. They say that they're only presenting in January 2001, and :

    In the best-case scenario, the itrace rollout will take 18 months.

    In that time, shouldn't we be approaching IPV6 time anyway, and doesn't IPV6 already have mechanism in place to prevent spoofing of address headers, making the trace a lot easier using traceroute? Maybe I'm being thick, but this looks redundant before it even gets going.


    /* Wayne Pascoe

  • I can tell that loads of people are going to start spouting stuff about privacy, but:

    1. Usually if you are getting stuff that you might not want the government to look at, you are still using tcp, so they know who you are anyway.
    2. It can only trace across routers that support it (as far as I can tell from the article).
    3. It can only really trace a nice big volume. The odd spoofed packet will probably go unnoticed.

    I can really say that I am an expert on these things, so is the a privacy issue here??

    --
    Jimadilo
  • Without IP spoofing, attacks like smurf become impossible. The only way you can DoS a site when your IP can't be spoofed is via a direct flood of traffic. Sure, you can coordinate the attack between several compromised systems, but without amplifiers such as with smurf, it's considerably less effective, and you announce the IP of every one of your intermediaries in the process, which means it'll probably be unusable as soon as the complaint gets back to the owners.
  • Instead of contacting the provider of the compromised system and having them shut down the offender, have them TRACK HIM DOWN. With simple network tools they can figure out where the intruder is connecting from and FIND the dickhead instead of just killing the connection, patching up the system and forgetting him.
  • You would be surprised how much information is logged by ISP's.

    The one ISP I have intimate knowledge about logged everything from date/time, connection speed, disconnection reason to the NUMBER YOU WERE CALLING FROM.

    All of this information is kept strictly confidential, but is IMMENSELY useful when serious abuse incidents arise. If some Joe Hax0r is using the ISP as a throw-away dialup with some fake credit card number, and the Feds came knocking on the ISP's door, they wouldn't walk away empty handed: with the calling ID, they know exactly who the offender is.

    I suspect most ISP's have logging of this nature.

    I mean hell, for metered access, you've GOT to keep track of dialup usage. Additional information like that is trivial to add to a database, and the benefits are significant.
  • ISPs can solve the spoofing problem RIGHT NOW

    I agree but does that solve anything where DoS is concerned? I don't think it will. Offcourse there will be enough weenies who suddenly get very nerveous about the idea that their real IP adresses can be traced. But so what? There are a dozen free ISP's out there which you can use. If one account gets traced use another! And then there is the tracing. I don't believe that a server which has been hacked to install a DoS exploit will be capable of reproducing logs which lead to the attacker. Incapable if the rootkit used by the kiddie fixed that offcourse. Personally I strongly doubt if those kiddies are capable of manually removing these traces in the logfiles.

  • by XNormal ( 8617 ) on Thursday July 27, 2000 @03:00AM (#901964) Homepage
    As far as I can see, its generally a good thing(tm), though they'd better get the authentication right, else it will become useless.


    Some kind of authentication can be achieved using packets that are transmitted with a TTL of 255. If you get a packet with a TTL of 254 there is no way it could have been sent from a host further than one hop. Lots of routers need to be upgraded for itrace, but ALL routers decrease the Time-To-Live field. I wonder how this could be effectively extended to longer distances.


    ----
  • What's the difference between this and a digital telephone exchange that knows where you're calling from. When people got bogus or malicious calls, companies created a system whereby those calls could be traced within seconds. That's a good thing. Your right to privacy over the telephone is gone already, and nobody's crying about that. What's the difference between that and this particular point-to-point connection system? Surely it's the privacy of the content that matters, and not your ability to send stuff to people without their knowing who it is that sent it?

    Ok - so you want to browse anonymously.. Well firstly, why? I don't see the point. Secondly, nothing's stopping you - do the same as you would if you wanted to make an anonymous telephone call - use a phone box, or a public internet access point.

    I'm stirring a little, but I get tired of people pouring their bleeding hearts over rights in the internet arena that they lost in other arenas years ago. They're not complaining about the postmark on their snail mail, or the telco's ability to see their phone numbers, or the CCTV in every store they "browse" in, or the bank recording every time they use their credit or debit cards, along with the name of the shop, time, place and everything else. You don't want to be on the store's CCTV tapes, don't go in.

  • Another attack on anonymity from the very people responsible for the architecture of the net. Is this what the net is coming to? Unfortunately, I think it is - just look at the recent attack on kuro5hin for an example of the childish, vindictive behaviour some people seem to delight in.

    Anonymity is a desirable feature online, but it is one that is ripe for abuse. Whilst it allows people to use the net without fear of some "Big Brother" organisation storing their every click it also allows 15 year-old kids to DDoS websites with impunity. Getting rid of anonymity is one solution, but it's one that will do more harm than good.

    So what is to be done? Maybe it's time to restrict who has access to the net. Since services like AOL and CompuServe made it easy for Joe Sixpack and his family to get online we've seen an exponential growth in website defacings, DDoS's and general abusive behaviour. If people were not allowed to access the net unless they fit certain criteria we could reclaim it from the scipt-kiddies.

    What criteria would be appropriate is the next question. Well firstly we need some kind of age limit - 16 or 18 would seem appropriate since there is a lot of offenisve material out there that we don't want our kids seeing. It would also restrict the net to people mature enough to take responsiblity for their own actions, which can only be a good thing.

    Secondly there should be some kind of examination process to weed out those people who aren't desirable. This should allow us to ensure that people know to be polite and would also allow us to teach people things like "don't open every attachment you receive in the mail" which would make everybody's life better.

    This isn't a perfect solution, but I doubt there is one. Still, we need to do something and this could be it.

    ---
    Jon E. Erikson

"I never let my schooling get in the way of my education." -- Mark Twain

Working...