TBTF for 1997-08-04: A morbid taste for fiber
Keith Dawson (dawson dot tbtf at gmail dot com)
Sun, 03 Aug 1997 12:46:21 -0400
- Ping Flood attacks
-- A program called Smurf uses laser-like
amplification to tie up target systems; it may be responsible
for outages at a major Internet switching center
- A meeting on domain names
-- All sides met and talked in Washington,
making progress but arriving at no final resolution
- Four horsemen not riding yet
-- A study intended to uncover deleterious
effects of encryption on criminal investigations finds
none, so far
Ping Flood attacks
Yet another kind of denial-of-service attack, the Ping Flood, has
been on the upswing in recent days. It uses the Internet Control
Message Protocol to fool an innocent network into amplifying an
attack's firepower. Here's how the laser-like amplification works,
as described on a network operations mailing list:
evil.com -> generates packet with forged address as
(victim.com(icmp_echo)) -> destination for spoofed
packet (44 broadcast addresses).
From here... all 44 network's broadcast address pass
the icmp with the forged address on to all machines
using that network. Each machine then replies as:
abused.net.com (echo_reply) -> victim.com
abused2.net.com (echo_reply) -> victim.com
abused3.othernet.com (echo_reply) -> victim.com
abused4.othernet.com (echo_reply) -> victim.com
Ping Flooding is not to be confused with the Ping of Death 
with SYN Flooding 
. (Paying attention? There will be a test.)
Like most of its fellows the technique is not new: one poster to
an ISP mailing list described a lively trade in Ping Flood
programs at UC Berkeley in the late 80s. The recent uptick in the
attacks seems to be due to such a program circulating anew. A
network operator in Texas recently posted part of a program called
, which is "now being passed around like candy." He requested
help from the operators in charge of any of 44 IP addresses listed
in the code. These were supposedly the broadcast addresses of
machines whose networks might be used to amplify Ping Flood attacks
(though when I checked I found only 2 of the 44 to be
valid addresses). Of course, recipients of this source code could
substitute other valid network addresses, but most of them
probably wouldn't bother.
One of the IPs hard-coded into Smurf is, somewhat alarmingly, the
broadcast address of MAE-East, the switching center outside of
Washington, DC, through which passes some 15% of all Internet traffic.
See  for a graph showing a typical day's traffic at one of the
MAE-East switches before the Ping Flood attacks began (these data
are from 7/12). Now compare [4a], a composite graph of a
recent 5-day stretch. Here's an operator speculating on what all those
suspicious drops to zero might mean.
1. Send a Cisco enough (a thousand a second) ICMP ECHO
REQUESTS, and it takes CPU to 99% and drops all BGP
sessions. Tested on a C7010.
2. Various routers on MAE-East have been mysteriously
clearing all their BGP peers over the past week or
3. The attack mentioned causes a lot of ICMP ECHO REQUESTS
to be sent to Cisco routers on MAE-East.
Are these facts by any chance related?
To defuse the technique a network operator can set a router to
block ICMP messages from particular IP addresses, or to block all
ICMP packets. Of course, doing so breaks any programs that rely on
ICMP. Another fix is not to broadcast incoming Pings, but simply
to echo or absorb them, effectively denying an attacker any
A meeting on domain names
Last week all sides in the domain naming fracas met and talked in
Washington, DC, at the two-day Forum on Internet Domain Names,
convened by the CDT, ITAA, and ISA. Attendees included:
- (US government) Commerce, FTC, PTO
- (international) WIPO, ITU
- (IAHC/POC) Internet Society, Internet Mail Society
- (domain naming) Network Solutions, Inc.
- (others) AOL, Netscape, IBM, AT&T, Digital, Bell Atlantic
Internet Week reports  a conciliatory tone from both NSI and the
Policy Oversight Committee, the group charged with carrying out the
IAHC/gTLD-MoU process. ZDnet  reaches no particular conclusions.
Wired  reports that a broad concensus emerged around the IAHC plan
with continued participation by NSI. One of the participants disputes
this interpretation. Dave Crocker <dcrocker at branenberg dot com>, a member
of the original IAHC, said:
I saw much discussion but there was no basis for asserting any
particular consensus or lack of it. The event was distinctive
by having brought the major players to the same table, for an
open airing of views. The opening statements were taken by
many to suggest a convergence of positions, primarily due to
NSI's indicating a willingness to share .com (when it feels
that the new system is reliable enough.) In fact, NSI has
made similar statements over a number of months. What contin-
ues to be lacking is any real action by NSI to participate
directly, though there is some indication that is about to
for a summary of TBTF coverage of the developments in domain
Four horsemen not riding yet
An alliance against free software (?) stumbles
On 7/17 Phil Agre's Red Rock Eater News Service carried a note from
Bruce Perens <bruce at pixar dot com>, chairman of Software in the Public
, a nonprofit group that supports the Debian GNU/Linux
free OS environment. The note called attention to the industry
consortium I2O SIG 
, whose members, including Microsoft and Intel,
are developing a next-generation intelligent I/O bus. "It looks as
if the I2O SIG agreements are deliberately written to exclude free
software," said Perens. Indeed, the consortium's ground rules
forbid the use of the I2O spec to any non-member -- a $5,000 barrier --
and existing members can veto proposed new applicants. Wired picked
up the story 
on 7/21 and published a URL from which hundreds
of people around the world downloaded the secret I2O specs in PDF
format. I2O quietly removed the offending material, but after this
breach the consortium will have a difficult time enforcing any
Separated at birth
Jeffrey Harrow's <harrow at mail dot dec dot com> Rapidly Changing Face of
covers territory familiar to readers of TBTF -- new Web
services, industry trends, technology news that catches the editors's
eye -- and often in greater depth. For example, last week I wrote 100
words about Alexa 
and Harrow wrote 1000. RCFoC aims to provide
"pragmatic, unbiased insight, analysis, and commentary on contemporary
computing innovations and trends"; the viewpoint isn't Digital-centric
although the corporation underwrites its production and hosts its site.
(This has drawbacks: for example RCFoC's Search button takes you to
Digital's main search page with no option to restrict the search only
to RCFoC.) The newsletter is published every Monday by email and Web
(sound familiar?). And you can listen to issues via "RCFoC Radio"
using VOXWare streaming audio. I can't vouch for the VOXware, having
long ago succumbed to NAPI syndrome -- not another plug-in. Joe Bob
says check it out 
What's French for "buggy?"
The Be site features a tour of the high points of the fledgling
operating system 
. Be's president M. Gassé being of the French
persuasion, it is perhaps unsurprising to find a dramatic dialog
in French captured in a screen shot's amber 
. It appears to be
a conversation between a beta tester and a development engineer; if
it's not genuine it's compellingly crafted. Here is the best
colloquial translation I can manage, with the help of informant Tim
Gilbert <gilbert at marin dot cc dot ca dot us> and several co-workers far more
conversant than I with la belle langue
Note added 1997-08-04:
Thanks also to Mark H. Kraml <kraml at ibm dot net>, Robert Harley
<Robert.Harley at inria dot fr>, and Pascal Menoud <pmenoud at smtpgw dot powersoft dot com>
for their assistance toward a less bugee translation.
The splash screen: on the BeBox the background is red,
here it's blue -- is that normal?
[Eng] Yes... the BeOS 32-bit-to-8-bit color conversion is buggy
on the PowerMac.
[BT] What will the graph button do during connection?
[Eng] Nothing -- it only indicates stuff during a transfer.
[BT] It always crashes when connecting to Polytechnique [frowney]
on StartFTP and it's a ReadFault error.
[BT] I presume you'll come do a stint at Polytechnique... [smiley]
[Eng] That's the only way to find the problem.
[BT] So that's a start, I'll test the crashing problem again...
The dreaded backhoe
The recent and continuing rash of backhoe attacks on backbone fiber
stimulated ongoing commentary on network mailing lists about
this modern incarnation of an ancient rivalry. (Think Swords vs.
Sorcery.) A page titled The Backhoe, natural enemy of the Network
a skewed look at the conflict,
with pictures of the extremes of the ungainly yellow species 
and research on the
possibility of developing "stealth"
technology for fiber cables that renders them invisible to the predators
A side note: our British cousins know the backhoe as a "JCB." This
opaque usage was explicated on a network administrators' mailing
[JCB is] literally "Joseph Charles Bamford," whose company
, nestled in the Staffordshire countryside near a place
called Rocester ("Rowster" for those unfamiliar with the
vaguaries of English pronunciation), produces swarms of
bright yellow "diggers" for use the world over.
The JCB company calls them backhoes
Note added 1997-08-04:
John Pike <johnpike at fas dot org> writes:
"The term of art for this problem is backhoe fade ... the derivation is
that Ka and Ku band communications satellites suffer loss of signal
strength in the presence of rain, which is known as 'rain fade' and
the satellite folks liked to tease the fiber folks that they had a similar
problem with 'backhoe fade.'"
TBTF home and archive at http://www.tbtf.com/ . To subscribe send
the message "subscribe" to firstname.lastname@example.org. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
Keith Dawson dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.
include ("../inc/foot-ar") ?>