From hgilkey@qualcomm.com Wed Jan 7 15:43:15 1998 Return-Path: Received: from strange.qualcomm.com by diogenes (SMI-8.6/SMI-SVR4) id PAA22309; Wed, 7 Jan 1998 15:43:11 -0500 Received: from hgilkey (hgilkey.qualcomm.com [129.46.238.237]) by strange.qualcomm.com (8.8.5/1.4/8.7.2/1.14) with SMTP id MAA02513 for ; Wed, 7 Jan 1998 12:42:59 -0800 (PST) Message-Id: <3.0.3.32.19980107124130.009a0820@mail1.qualcomm.com> X-Sender: hgilkey@mail1.qualcomm.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 07 Jan 1998 12:41:30 -0800 To: westall@cs.clemson.edu From: Harold Gilkey Subject: Yahoo! - Internet hit by "denial of service" attacks Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mozilla-Status: 0001 Content-Length: 9549 Where's MARS when you need it! (-: Also, did you ever get my e-mail with the ISBN number? Our mail servers have been acting kind of hokie lately - Speaking of Hokies (my undergrad), I guess your Tarheels taught them how to play football over the holidays? (-: Oh well ... See ya! (-: - harold >Wednesday January 7 12:34 PM EST > >Internet hit by "denial of service" attacks > >By James Glave > >SAN FRANCISCO (Wired) - Internet service providers and Internet Relay Chat >administrators are grappling with increased incidents of a crippling new >"denial of service" attack that is grinding large Internet service= providers >to a halt. > >"It's probably the worst attack the Internet has seen to date," said Sven >Nielsen, founder of DALnet, the third largest IRC network in the world. > >The technique, known as "smurfing," cannot be stopped with a quick software >fix, and some network administrators charge that the major Internet= backbone >providers -- the only people who can halt and trace smurfs -- aren't taking >the problem seriously enough. > >On Monday, the Computer Emergency Response Team issued an advisory on >smurfs, which first surfaced last fall when a program of the same name that >creates them began circulating the Net. > >This newest denial of service attack is much more difficult to head off= than >the "SYN flood" attacks that made headlines last year. In those incidents,= a >server is overwhelmed with half-completed requests for data. > >"As compared to a SYN flood, a smurf is devastating," said Nielsen. "A SYN >flood simply turns off one or two services on a host. A smurf kills an >entire ISP for hours, depending on how long the smurf runs." > >--- > >How does it work? > >A smurf begins when a single malicious user sends a stream of Internet >Control Message Protocol, or ping, packets -- used to determine if a= machine >is alive -- to a target network's central "directed broadcast" address, >which is rarely used, but easily obtained. > >This address pings all the machines -- often 255 boxes or more -- on the >target network. > >Each of the hundreds of hosts on that target network will dutifully respond >with a "yes, I'm here" answer packet back to what they understand to be the >ping's origin address. But the cracker has forged the source address of the >originating ping packets. > >"The (faked originating address) is the poor hapless victim of the smurf," >explained Nielsen. Instantly, the target network is hopelessly clogged, as >Nielsen outlined with a typical smurf scenario. > >"Assume that someone on a 28.8K modem can safely send out 337 64-byte ping >packets ... per second," said Nielsen. "When sent to a fully loaded >broadcast network ... this becomes 85,261 packets, or 5.45MB of data per >second." > >"That's easily enough to kill off a T1 (very high-speed Internet line)," >said Nielsen. "If the person originates the smurf from a faster link, and >uses multiple relay networks, they can easily kill off a full 45 megabit= (or >T3, an even faster T1) line. This is why it's so incredibly bad." > >Further, there is nothing a victim can do to regain connectivity other than >ask upstream network providers, usually national service providers such as >UUNET, Sprint, and MCI, to help out by filtering the data. But so far, >according to Nielsen's own experiences -- and those of others on clomputer >bulletin boards that deal with such topics -- "Very few of the backbone >providers seem to be concerned." > >--- > >MCI recently incorporated smurf protection features into its free= DoSTracker >server protection software. DoSTracker performs some custom configuration= of >Cisco routers in real time and helps in tracking down the genuine source of >the malicious packets. > >But the DoSTracker software is only useful if one has access to all the >routers between the target network and the smurf. > >MCI can't use DoSTracker to trace into competitor Sprint's or UUNET's >network because they don't have access to Sprint or UUNET routers, and >attacks can -- and do -- bounce between them. > >Requesting a filter is often a frustrating process, due to lack of= awareness >of the issue and a lack of cooperation between fiercely competitive= national >service providers. > >"As it stands, it takes anywhere from a few minutes to an hour to get= enough >people coordinated so you can actually figure out the source of these >things," said Karl Denninger, president of the Chicago-based Internet >service MCSNet and victim of numerous smurfs. > >Some administrators charge that Sprint has a flat "no filters" policy,= while >others suggested that the company is reluctant to filter forged data= packets >because of the drain such a move would place on their equipment. > >"Sprint's backbone filter-policy manager told me that (smurfing) is not a >significant problem, that they do not receive many calls for help on it,= and >that their policy is to not place (filters on the unwanted data," Ken >Leland, owner of Monmouth Internet, said in an email. > >Sprint could not be reached for comment. > >"Meanwhile I have heard from many, many ISPs (Internet service providers) >that it is a problem, including two local ISP's in my area that have been >plagued with it," Leyland said. > >Smurfs are the most difficult denial of service attack to trace, said Dale >Drew, MCI's senior manager of security engineering. > >"When the smurf attacks first started, what the bad guy would do was find >just one innocent third party, send a broadcast ping to him, and have that >innocent third party send all of its packets to the victim," said Drew. > >--- > >"What the bad guys are doing now is finding 60 to 70 third parties and >sending packets to those people. So the victim gets hit by 60 times 255 >packets of an attack. When the good guy goes in to trace the attack, he= sees >50 to 60 sources of attack," Drew said. > >Legitimate network users only hopelessly muddle this tedious detective= work, >Drew said. > >"During an attack like this, all the people who are trying to use the >service can't access it, so the first thing they do is ping the host to= make >sure it is alive. So investigators get bad and good ping packets and it's >very hard to tell the difference." > >Drew said that MCI prevents broadcast ping packets from coming through >particular components of the company's network. > >"That adds a speed bump," Drew said. "But the attacker can forge packets >going through gateways ... they can come from other sources where we are >unable to filter them." > >Various preventative measures can be taken to eliminate smurfs at their >source, but stopping them in action is another matter. Not enough people= are >taking precautions, said MCSNet's Denninger. For example, a single >configuration setting will stop Cisco routers from accepting forged= packets, >he said. > >"The real issue is that we are, as an industry, allowing people to forge= the >source addresses of packets that they inject into the Internet," said >Denninger. "If providers would stop that practice, this problem would go >away, because you'd be traceable instantly." > >Denninger suggested that such filters should be standard on all dial-up >modem and ISDN ports. > >Meanwhile, Nielsen said that the challenges of smurf tracking are as much >political and social as they are technical. Though MCI's Drew said that his >company is dealing with at least three or four smurf incidents a day, >DALnet's Nielsen said he has a hard time getting some national service >providers to grasp the issue. > >"Finding people with a clue and the access to track it down on the phone is >somewhat difficult," lamented Nielsen. "The other problem is that there is >very little inter-provider cooperation between the big ISPs." > >"We have to hope that the person with access and ability to trace the >packets doesn't blow us off because we're not an MCI customer," Nielsen >added. > >For his part, Denninger has lost enough business due to smurfing that he >would like to see serious legal repercussions for the perpetrators. > >The problem is serious enough that the FBI's computer crimes division is >investigating smurfing incidents, he said. > >Denninger was quick to blast the national service providers for what he= sees >to be their complacency. > >"The national providers that refuse to take the appropriate steps to= prevent >themselves from being used as a bounce point for this traffic are >contributorally negligent to the problem," he said. "There ought to be some >indictments issued on this." > >(Reuters/Wired) > >---------------------------------------------------------------------------= - > Help > >---------------------------------------------------------------------------= - >Previous Story: New studio produces films for ``two-inch'' Web screen >Next Story: Apple, thinking different, unveils a profit >---------------------------------------------------------------------------= - > [ Index | News | World | Biz | Tech | Politic | Sport | Scoreboard | > Entertain | Health ] >---------------------------------------------------------------------------= - >Copyright =A9 1997 Reuters Limited. All rights reserved. Republication or >redistribution of Reuters content is expressly prohibited without the prior >written consent of Reuters. Reuters shall not be liable for any errors or >delays in the content, or for any actions taken in reliance thereon > Questions or Comments > From mark@cs.clemson.edu Wed Jan 7 16:47:06 1998 Return-Path: Received: from wayne.cs.clemson.edu by diogenes (SMI-8.6/SMI-SVR4) id QAA23274; Wed, 7 Jan 1998 16:47:06 -0500 Received: by wayne.cs.clemson.edu (SMI-8.6/SMI-SVR4) id QAA17128; Wed, 7 Jan 1998 16:47:03 -0500 From: mark@cs.clemson.edu (Mark Smotherman) Message-Id: <199801072147.QAA17128@wayne.cs.clemson.edu> Subject: "smurf" attack To: westall@cs.clemson.edu (Mike Westall), wayne@cs.clemson.edu (Wayne Madison), douglass@cs.clemson.edu (John T. Douglass) Date: Wed, 7 Jan 1998 16:47:02 -0500 (EST) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mozilla-Status: 0001 Content-Length: 8131 Smurfing Cripples ISPs by James Glave Internet service providers and Internet Relay Chat administrators are grappling with increased incidents of a crippling new "denial of service" attack that is grinding large ISPs to a halt. "It's probably the worst attack the Internet has seen to date," said Sven Nielsen, founder of DALnet, the third largest IRC network in the world. The technique, known as smurfing, cannot be stopped with a software patch, and some network admins charge that the major Internet backbone providers - the only people who can halt and trace smurfs - aren't taking the problem seriously enough. On Monday, the Computer Emergency Response Team issued an advisory on smurfs, which first surfaced last fall when a program of the same name that creates them began circulating the Net. This newest denial of service attack is much more difficult to head off than the "SYN flood" attacks that made headlines last year. In those incidents, a server is overwhelmed with half-completed requests for data. "As compared to a SYN flood, a smurf is devastating," said Nielsen. "A SYN flood simply turns off one or two services on a host. A smurf kills an entire ISP for hours, depending on how long the smurf runs." How it works A smurf begins when a single malicious user sends a stream of Internet Control Message Protocol, or ping, packets - used to determine if a machine is alive - to a target network's central "directed broadcast" address, which is rarely used, but easily obtained. This address pings all the machines - often 255 boxes or more - on the target network. Each of the hundreds of hosts on that target network will dutifully respond with a "yes, I'm here" answer packet back to what they understand to be the ping's origin address. But the cracker has forged the source address of the originating ping packets. "The [faked originating address] is the poor hapless victim of the smurf," explained Nielsen. Instantly, the target network is hopelessly clogged, as Nielsen outlined with a typical smurf scenario. "Assume that someone on a 28.8K modem can safely send out 337 64-byte ping packets ... per second," said Nielsen. "When sent to a fully loaded broadcast network ... this becomes 85,261 packets, or 5.45MB of data per second." "That's easily enough to kill off a T1," said Nielsen. "If the person originates the smurf from a faster link, and uses multiple relay networks, they can easily kill off a full 45Mbit [T3]. This is why it's so incredibly bad." Further, there is nothing a victim can do to regain connectivity other than ask upstream network providers, usually national service providers such as UUNET, Sprint, and MCI, to filter the ICMP packets. But so far, according to Nielsen's own experiences - and those of others on ISP mailing lists - "Very few of the backbone providers seem to be concerned." Sourcing a smurf MCI recently incorporated smurf protection features into its free DoSTracker server protection software. DoSTracker performs some custom configuration of Cisco routers in real time and helps in tracking down the genuine source of the malicious packets. But the DoSTracker software is only useful if one has access to all the routers between the target network and the smurf. MCI can't use DoSTracker to trace into competitor Sprint's or UUNET's network because they don't have access to Sprint or UUNET routers, and attacks can - and do - bounce between them. Requesting a filter is often a frustrating process, due to lack of awareness of the issue and a lack of cooperation between fiercely competitive national service providers. "As it stands, it takes anywhere from a few minutes to an hour to get enough people coordinated so you can actually figure out the source of these things," said Karl Denninger, president of the Chicago-based ISP MCSNet and victim of numerous smurfs. Some administrators charge that Sprint has a flat "no filters" policy, while others suggested that the company is reluctant to filter forged ICMP packets because of the drain such a move would place on their equipment. "Sprint's backbone filter-policy manager told me that [smurfing] is not a significant problem, that they do not receive many calls for help on it, and that their policy is to not place [ICMP packet filters]," Ken Leland, owner of Monmouth Internet, said in an email. Sprint could not be reached for comment. "Meanwhile I have heard from many, many ISPs that it is a problem, including two local ISP's in my area that have been plagued with it," Leyland said. Smurfs are the most difficult denial of service attack to trace, said Dale Drew, MCI's senior manager of security engineering. "When the smurf attacks first started, what the bad guy would do was find just one innocent third party, send a broadcast ping to him, and have that innocent third party send all of its packets to the victim," said Drew. "What the bad guys are doing now is finding 60 to 70 third parties and sending packets to those people. So the victim gets hit by 60 times 255 packets of an attack. When the good guy goes in to trace the attack, he sees 50 to 60 sources of attack," Drew said. Legitimate network users only hopelessly muddle this tedious detective work, Drew said. "During an attack like this, all the people who are trying to use the service can't access it, so the first thing they do is ping the host to make sure it is alive. So [investigators] get bad and good ping packets and it's very hard to tell the difference." Drew said that MCI prevents broadcast ping packets from coming through particular components of the company's network. "That adds a speed bump," Drew said. "But the attacker can forge packets going through gateways ... they can come from other sources where we are unable to filter them." Competition hampers detection Various preventative measures can be taken to eliminate smurfs at their source, but stopping them in action is another matter. Not enough people are taking precautions, said MCSNet's Denninger. For example, a single configuration setting will stop Cisco routers from accepting forged packets, he said. "The real issue is that we are, as an industry, allowing people to forge the source addresses of packets that they inject into the Internet," said Denninger. "If providers would stop that practice, this problem would go away, because you'd be traceable instantly." Denninger suggested that such filters should be standard on all dial-up modem and ISDN ports. Meanwhile, Nielsen said that the challenges of smurf tracking are as much political and social as they are technical. Though MCI's Drew said that his company is dealing with at least three or four smurf incidents a day, DALnet's Nielsen said he has a hard time getting some national service providers to grasp the issue. "Finding people with a clue and the access to track it down on the phone is somewhat difficult," lamented Nielsen. "The other problem is that there is very little inter-provider cooperation between the big ISPs. When we find out that it comes from an MCI router, UUNET isn't going to call MCI - we have to call MCI. And since we're not an MCI customer, we have to explain what's going on, and hopefully the person on the phone doesn't blow us off because they think smurfing has something to do with a fixation on little blue creatures," he said. "Then we have to hope that the person with access and ability to trace the packets doesn't blow us off because we're not an MCI customer," Nielsen said. For his part, Denninger has lost enough business due to smurfing that he would like to see serious legal repercussions for the perpetrators. The problem is serious enough that the FBI's computer crimes division is investigating smurfing incidents, he said. Denninger was quick to blast the national service providers for what he sees to be their complacency. "The national providers that refuse to take the appropriate steps to prevent themselves from being used as a bounce point for this traffic are contributorally negligent to the problem," he said. "There ought to be some indictments issued on this."