Author: Bob Durrett
Date: 06:48:02 02/13/03
Go up one level in this thread
On February 12, 2003 at 21:25:22, Robert Hyatt wrote: >On February 12, 2003 at 09:43:35, Bob Durrett wrote: > >>On February 11, 2003 at 22:53:47, Robert Hyatt wrote: >> >>>On February 11, 2003 at 17:42:53, Russell Reagan wrote: >>> >>>>On February 11, 2003 at 15:29:57, Robert Hyatt wrote: >>>> >>>>>The internet is a hostile place, but it will get better. One long-overdue >>>>>change is the elimination of _all_ anonymous activities, from anonymous >>>>>remailers, to allowing someone to send a packet that doesn't have them as the >>>>>return address, etc. >>>>> >>>>>It will eventually be fixed. IPV6 is one approach that is picking up steam. >>>> >>>>So eventually are we going to have to register with the government if we want to >>>>be on the net, or run a server, or play chess, etc.? Anyone can setup a mail >>>>server and mail anonymously. >>> >>> >>> >>>No. You are missing the point. You can _still_ set up a server. With >>>a registered IP address. And you can send as much email as you want, but >>>it _will_ have your ip address as the return point. And _any_ packet you >>>send will have to have your ip address as the return address, not some >>>bogus address as is used in most internet attacks. This means that you can't >>>send packets that you claim originate somewhere else. Not that we could stop >>>you from trying, but we simply turn on a simple check (in linux) to make sure >>>that when you send me a packet, it has a return address that is "behind" you. >>> >>>You can still use a bogus login / user name. But it will trace right back to >>>your registered IP address, so you can't get away with any sort of spoofing, >>>DOS, spamming, etc... >>> >>> >>> >Anyone can do just about anything if they have a >>>>connection. >>> >>>Not really. For example, you connect a laptop inside my CIS network, and >>>try to spoof, and the packets go into the toilet. I do this in both >>>directions. Someone outside my network can't send me packets that claim to >>>originate inside my network, and vice-versa. When all internet relays do this, >>>the problem goes away. >>> >>> >>> >>>>Seems like the only way to stop the rowdies is to monitor >>>>everything, but then you get into people stealing other people's online >>>>identities, and things quickly spiral out of control. We all know how computer >>>>illiterate politicians really are, and they're going to pass some law like this >>>>requiring everyone to have an identity, and then innocent people are going to >>>>start going to jail, and before we know it, the world will come to an end! How's >>>>that for being an alarmist? :) >>>> >>>>Anyway, there has to be some way to prevent such attacks. Whois servers usually >>>>have some kind of rate that you must stay below to continuing doing queries. How >>>>do they prevent one person from monopolizing their servers? >>> >>>Linux can do this. But the problem is that the "spoofers" appear to be >>>connecting from all over the world, not from one machine which would make it >>>easy to block. But with source-route checking, this won't be possible. Many >>>places are already doing it. It will become the "norm" at some point. >> >>Bob H., would you please elaborate on "source-route checking" and elaborate on >>what it will and will not accomplish? >> >>Bob D. > > >Sure. Consider a "router" which is just a computer with two network >connections (at least). Packets come in on one interface, and they are >sent out on another interface that is "closer" to the final destination. > >One type of DOS attack involves a program running on a computer and producing >SYN packets to initiate a connection. However, if the same machine were to try >to initiate several hundred connections at once, it could be stopped. So these >programs frame up a SYN packet to the targeted machine, but for the return >address, they generate a random 32 bit number and stuff it into the packet. >The SYN packet arrives at the target, and it immediately responds with a packet, >which gets addressed to that random non-existant IP. The connection sits there >for a couple of minutes until it times out. And since each new SYN packet >appears to originate at a different host, each connection is treated as valid >and it is very difficult to block them. > >This can be fixed when the routers do some sanity checking. IE a packet comes >in on ethernet interface "A". If I know something about that interface and the >network it is supposedly connected to (IE one interface on my departmental >firewall is connected to the 138.26.65.* network) then I can look at the packets >that come from that interface and look at the return address to be sure it is >to a machine within that network. If it isn't, it has to be a program that is >stuffing a bogus return address and we just dump the packet in the toilet, >logging where it came from as best we can (IE a MAC address or whatever). > >This works in all directions. If I get a packet from an interface that my >routing tables says "send it back out on that same interface" then something >appears to be fishy. I can look at the source address and see if it really >could be out on that interface or not. I can't catch all forged packets like >this, but if _every_ router does it, then the routers connected directly to >the network with the "spoofer" can instantly spot it and drop the packets. Once >they get into "cyber-land" it is harder to validate where they came from as >the farther they travel into the network, the more legitimate hosts there are >on that side of some specific router, and routers far from the origination point >have a much harder time dropping the packets than the routers adjacent to the >bad actor. > >If that doesn't help, I'll be glad to try to explain further. The point is that >if all addresses are valid, then I can track them to the source and shut the >problem down very quickly... But it takes everybody involved in the internet >infrastructure to make this work. And there are foreign countries that are >not interested in helping. The solution for those countries is to simply drop >_all_ their packets into the toilet until they comply... It appears that you have some good ideas as to how to minimize the problems. Perhaps more ideas will surface in the future, especially if "Internet Warfare" were to ever actually happen on a large scale. Most of us probably have nothing to worry about. There is safety in numbers. It's like being a fish in a large school. If a shark or other predator attacks the school, an individual fish has a good chance of survival. Anyway, ordinary people are probably not a target. An exception would be if the entire internet, perhaps in a single country, were to be shut down. Then, everybody would have to do without. I wouldn't expect anybody to jump off of tall buildings, though. Anyway, it's an interesting topic. : ) Bob D.
This page took 0 seconds to execute
Last modified: Thu, 15 Apr 21 08:11:13 -0700
Current Computer Chess Club Forums at Talkchess. This site by Sean Mintz.