(A Javascript-enabled browser is required to email me.)
TBTF logo

TBTF for 1997-08-04: A morbid taste for fiber

Keith Dawson (dawson dot tbtf at gmail dot com)
Sun, 03 Aug 1997 12:46:21 -0400


Contents

  • Ping Flood attacks -- A program called Smurf uses laser-like amplification to tie up target systems; it may be responsible for outages at a major Internet switching center

  • A meeting on domain names -- All sides met and talked in Washington, making progress but arriving at no final resolution

  • Four horsemen not riding yet -- A study intended to uncover deleterious effects of encryption on criminal investigations finds none, so far

Ping Flood attacks

Yet another kind of denial-of-service attack, the Ping Flood, has been on the upswing in recent days. It uses the Internet Control Message Protocol to fool an innocent network into amplifying an attack's firepower. Here's how the laser-like amplification works, as described on a network operations mailing list:
evil.com -> generates packet with forged address as (victim.com(icmp_echo)) -> destination for spoofed packet (44 broadcast addresses).

From here... all 44 network's broadcast address pass the icmp with the forged address on to all machines using that network. Each machine then replies as:

xxx.xxx.xxx.255
abused.net.com (echo_reply) -> victim.com
abused2.net.com (echo_reply) -> victim.com
yyy.yyy.yyy.255
abused3.othernet.com (echo_reply) -> victim.com
abused4.othernet.com (echo_reply) -> victim.com
[...etc...]
Ping Flooding is not to be confused with the Ping of Death [1] or with SYN Flooding [2]. (Paying attention? There will be a test.) Like most of its fellows the technique is not new: one poster to an ISP mailing list described a lively trade in Ping Flood programs at UC Berkeley in the late 80s. The recent uptick in the attacks seems to be due to such a program circulating anew. A network operator in Texas recently posted part of a program called Smurf, which is "now being passed around like candy." He requested help from the operators in charge of any of 44 IP addresses listed in the code. These were supposedly the broadcast addresses of machines whose networks might be used to amplify Ping Flood attacks (though when I checked I found only 2 of the 44 to be valid addresses). Of course, recipients of this source code could substitute other valid network addresses, but most of them probably wouldn't bother.

One of the IPs hard-coded into Smurf is, somewhat alarmingly, the broadcast address of MAE-East, the switching center outside of Washington, DC, through which passes some 15% of all Internet traffic.

See [3] for a graph showing a typical day's traffic at one of the MAE-East switches before the Ping Flood attacks began (these data are from 7/12). Now compare [4a], a composite graph of a recent 5-day stretch. Here's an operator speculating on what all those suspicious drops to zero might mean.

1. Send a Cisco enough (a thousand a second) ICMP ECHO REQUESTS, and it takes CPU to 99% and drops all BGP sessions. Tested on a C7010.

2. Various routers on MAE-East have been mysteriously clearing all their BGP peers over the past week or two.

3. The attack mentioned causes a lot of ICMP ECHO REQUESTS to be sent to Cisco routers on MAE-East.

Are these facts by any chance related?

To defuse the technique a network operator can set a router to block ICMP messages from particular IP addresses, or to block all ICMP packets. Of course, doing so breaks any programs that rely on ICMP. Another fix is not to broadcast incoming Pings, but simply to echo or absorb them, effectively denying an attacker any amplification.

[1] http://www.tbtf.com/archive/1996-11-12.html
[2] http://www.tbtf.com/archive/1996-09-23.html
[3] http://www.mfsdatanet.com:80/MAE/east.giga.970712.html
[4a] http://www.tbtf.com/pics/east.giga.overlay.gif

______
Threads Domain name policy
See also TBTF for
2000-04-19, 03-31, 1999-12-16, 10-05, 08-30, 08-16, 07-26, 07-19, 07-08, 06-14, 05-22, more...

A meeting on domain names

Last week all sides in the domain naming fracas met and talked in Washington, DC, at the two-day Forum on Internet Domain Names, convened by the CDT, ITAA, and ISA. Attendees included:

Internet Week reports [5] a conciliatory tone from both NSI and the Policy Oversight Committee, the group charged with carrying out the IAHC/gTLD-MoU process. ZDnet [6] reaches no particular conclusions. Wired [7] reports that a broad concensus emerged around the IAHC plan with continued participation by NSI. One of the participants disputes this interpretation. Dave Crocker <dcrocker at branenberg dot com>, a member of the original IAHC, said:

I saw much discussion but there was no basis for asserting any particular consensus or lack of it. The event was distinctive by having brought the major players to the same table, for an open airing of views. The opening statements were taken by many to suggest a convergence of positions, primarily due to NSI's indicating a willingness to share .com (when it feels that the new system is reliable enough.) In fact, NSI has made similar statements over a number of months. What contin- ues to be lacking is any real action by NSI to participate directly, though there is some indication that is about to change.
See [8] for a summary of TBTF coverage of the developments in domain naming.

[5] http://www4.zdnet.com/intweek/daily/970801b.html
[6] http://www5.zdnet.com/zdnn/content/zdnn/0801/zdnn0005.html
[7] http://www.wired.com/news/news/politics/story/5699.html
[8] http://www.tbtf.com/resource/domain-name-hist.html

______
Threads Cryptography export policy
See also TBTF for
2000-02-06, 1999-10-05, 08-30, 08-23, 08-16, 07-26, 05-22, 05-08, 04-21, 03-01, 01-26, more...

Four horsemen not riding yet

Dorothy Denning and William Baugh have completed their study of the impact of strong crypto on law enforcement (see TBTF for 1997-03-21 [9] and [10]). The full study, titled "Encryption and Evolving Technologies as Tools of Organized Crime and Terrorism," is to be published by the National Strategy Information Center. An excerpt [11] from the introduction is posted on Denning's site. This news.com coverage [12] focuses on the study's finding that encryption has not noticably impeded any criminal investigations thus far; the story's hook is an apparent softening of the positions of these two long-time proponents of key escrow. No such softening is evident in the excerpt [11], which states: "Our central claim is that the impact of encryption on crime and terrorism is at its early stages."

[9] http://www.tbtf.com/archive/1997-03-21.html
[10] http://www.tbtf.com/resource/horseman-arms.html
[11] http://guru.cosc.georgetown.edu/~denning/crypto/oc-abs.html
[12] http://www.news.com/News/Item/0%2C4%2C13000%2C00.html

______

An alliance against free software (?) stumbles

On 7/17 Phil Agre's Red Rock Eater News Service carried a note from Bruce Perens <bruce at pixar dot com>, chairman of Software in the Public Interest [13], a nonprofit group that supports the Debian GNU/Linux free OS environment. The note called attention to the industry consortium I2O SIG [14], whose members, including Microsoft and Intel, are developing a next-generation intelligent I/O bus. "It looks as if the I2O SIG agreements are deliberately written to exclude free software," said Perens. Indeed, the consortium's ground rules forbid the use of the I2O spec to any non-member -- a $5,000 barrier -- and existing members can veto proposed new applicants. Wired picked up the story [15] on 7/21 and published a URL from which hundreds of people around the world downloaded the secret I2O specs in PDF format. I2O quietly removed the offending material, but after this breach the consortium will have a difficult time enforcing any nondisclosure agreements.

[13] http://www.debian.org/social_contract.html
[14] http://www.i2osig.org/
[15] http://www.wired.com/news/news/technology/story/5343.html

______

Separated at birth

Jeffrey Harrow's <harrow at mail dot dec dot com> Rapidly Changing Face of Computing [16] covers territory familiar to readers of TBTF -- new Web services, industry trends, technology news that catches the editors's eye -- and often in greater depth. For example, last week I wrote 100 words about Alexa [17] and Harrow wrote 1000. RCFoC aims to provide "pragmatic, unbiased insight, analysis, and commentary on contemporary computing innovations and trends"; the viewpoint isn't Digital-centric although the corporation underwrites its production and hosts its site. (This has drawbacks: for example RCFoC's Search button takes you to Digital's main search page with no option to restrict the search only to RCFoC.) The newsletter is published every Monday by email and Web (sound familiar?). And you can listen to issues via "RCFoC Radio" using VOXWare streaming audio. I can't vouch for the VOXware, having long ago succumbed to NAPI syndrome -- not another plug-in. Joe Bob says check it out [18].

[16] http://www.digital.com/rcfoc/
[17] http://www.alexa.com/
[18] http://blkbox.com/joebob.html

______

What's French for "buggy?"

The Be site features a tour of the high points of the fledgling operating system [19]. Be's president M. Gassé being of the French persuasion, it is perhaps unsurprising to find a dramatic dialog in French captured in a screen shot's amber [20]. It appears to be a conversation between a beta tester and a development engineer; if it's not genuine it's compellingly crafted. Here is the best colloquial translation I can manage, with the help of informant Tim Gilbert <gilbert at marin dot cc dot ca dot us> and several co-workers far more conversant than I with la belle langue.
Note added 1997-08-04: Thanks also to Mark H. Kraml <kraml at ibm dot net>, Robert Harley <Robert.Harley at inria dot fr>, and Pascal Menoud <pmenoud at smtpgw dot powersoft dot com> for their assistance toward a less bugee translation.

[BT] The splash screen: on the BeBox the background is red, here it's blue -- is that normal?

[Eng] Yes... the BeOS 32-bit-to-8-bit color conversion is buggy on the PowerMac.

[BT] What will the graph button do during connection?

[Eng] Nothing -- it only indicates stuff during a transfer.

[BT] It always crashes when connecting to Polytechnique [frowney] on StartFTP and it's a ReadFault error.

[Eng] Ouch.

[BT] I presume you'll come do a stint at Polytechnique... [smiley]

[Eng] That's the only way to find the problem.

[BT] So that's a start, I'll test the crashing problem again...

[19] http://www.be.com/products/beos_tour/
[20] http://www.be.com/products/beos_tour/tour_images/MailIt.gif

______

Threads Backhoe vs. fiber, the eternal battle
See also TBTF for
1998-10-12, 02-02, 1997-11-24, 10-06, 08-04, 07-21, 1996-10-31

The dreaded backhoe

The recent and continuing rash of backhoe attacks on backbone fiber [21] has stimulated ongoing commentary on network mailing lists about this modern incarnation of an ancient rivalry. (Think Swords vs. Sorcery.) A page titled The Backhoe, natural enemy of the Network Administrator [22] offers a skewed look at the conflict, with pictures of the extremes of the ungainly yellow species [23], [24] and research on the possibility of developing "stealth" technology for fiber cables that renders them invisible to the predators [25].

A side note: our British cousins know the backhoe as a "JCB." This opaque usage was explicated on a network administrators' mailing list:

[JCB is] literally "Joseph Charles Bamford," whose company [26], nestled in the Staffordshire countryside near a place called Rocester ("Rowster" for those unfamiliar with the vaguaries of English pronunciation), produces swarms of bright yellow "diggers" for use the world over.
The JCB company calls them backhoes.
Note added 1997-08-04: John Pike <johnpike at fas dot org> writes: "The term of art for this problem is backhoe fade ... the derivation is that Ka and Ku band communications satellites suffer loss of signal strength in the presence of rain, which is known as 'rain fade' and the satellite folks liked to tease the fiber folks that they had a similar problem with 'backhoe fade.'"

[21] http://www.tbtf.com/archive/1997-07-21.html#s01
[22] http://www.23.com/backhoe/
[23] http://206.242.201.50/rim/
[24] http://www.bham.net/mining/
[25] http://www.23.com/backhoe/research.html
[26] http://www.jcb.co.uk/


Notes

none Today's TBTF title is loosely adapted from the first novel [27] in the Brother Cadfael series of medieval mysteries, by Edith Parteger (writing as Ellis Peters).

[27] http://www.amazon.com/exec/obidos/ISBN=0446400157/tbtfA/


Sources

none For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html.

none Red Rock Eater News Service -- mail rre-request@weber.ucsd.edu without subject and with message: subscribe . Archive at http://communication.ucsd.edu/pagre/archive_help.html (email-based). Web home at http://communication.ucsd.edu/pagre/rre.html.


TBTF home and archive at http://www.tbtf.com/ . To subscribe send
the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.

______


TBTF
H
OME
CURRENT
ISSUE
TBTF
L
OG
TABLE OF
CONTENTS
TBTF
T
HREADS
SEARCH
TBTF

Copyright © 1994-2017 by Keith Dawson. Commercial use prohibited. May be excerpted, mailed, posted, or linked for non-commercial purposes.