TBTF for 8/4/97: A morbid taste for fiber

Keith Dawson (dawson@world.std.com)
Sun, 3 Aug 1997 13:06:09 -0500


TBTF for 8/4/97: A morbid taste for fiber

T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t

Timely news of the bellwethers in computer and communications
technology that will affect electronic commerce -- since 1994

Your Host: Keith Dawson

This issue: < http://www.tbtf.com/archive/08-04-97.html >

C o n t e n t s

Ping Flood attacks
A meeting on domain names
Four horsemen not riding yet
An alliance against free software (?) stumbles
Separated at birth
What's French for "buggy?"
The dreaded backhoe

..Ping Flood attacks

Yet another kind of denial-of-service attack, the Ping Flood, has
been on the upswing in recent days. It uses the Internet Control
Message Protocol to fool an innocent network into amplifying an
attack's firepower. Here's how the laser-like amplification works,
as described on a network operations mailing list:

> evil.com -> generates packet with forged address as
> (victim.com(icmp_echo)) -> destination for spoofed
> packet (44 broadcast addresses).

> From here... all 44 network's broadcast address pass
> the icmp with the forged address on to all machines
> using that network. Each machine then replies as:

> xxx.xxx.xxx.255
> abused.net.com (echo_reply) -> victim.com
> abused2.net.com (echo_reply) -> victim.com
> yyy.yyy.yyy.255
> abused3.othernet.com (echo_reply) -> victim.com
> abused4.othernet.com (echo_reply) -> victim.com

> [...etc...]

Ping Flooding is not to be confused with the Ping of Death [1] or
with SYN Flooding [2]. (Paying attention? There will be a test.)
Like most of its fellows the technique is not new: one poster to
an ISP mailing list described a lively trade in Ping Flood pro-
grams at UC Berkeley in the late 80s. The recent uptick in the
attacks seems to be due to such a program circulating anew. A net-
work operator in Texas recently posted part of a program called
Smurf, which is "now being passed around like candy." He requested
help from the operators in charge of any of 44 IP addresses listed
in the code. These were supposedly the broadcast addresses of ma-
chines whose networks might be used to amplify Ping Flood attacks
(though when I checked just now I found only 2 of the 44 to be
valid addresses). Of course, recipients of this source code could
substitute other valid network addresses, but most of them prob-
ably wouldn't bother.

One of the IPs hard-coded into Smurf is, somewhat alarmingly, the
broadcast address of MAE-East, the switching center outside of Wash-
ington, DC, through which passes some 15% of all Internet traffic.

See [3] for a graph showing a typical day's traffic at one of the
MAE-East switches before the Ping Flood attacks began (these data
are from 7/12). Now compare [4], a composite graph of the most re-
cent 5 days. Here's an operator speculating on what all those sus-
picious drops to zero might mean.

> 1. Send a Cisco enough (a thousand a second) ICMP ECHO
> REQUESTS, and it takes CPU to 99% and drops all BGP
> sessions. Tested on a C7010.

> 2. Various routers on MAE-East have been mysteriously
> clearing all their BGP peers over the past week or
> two.

> 3. The attack mentioned causes a lot of ICMP ECHO REQUESTS
> to be sent to Cisco routers on MAE-East.

> Are these facts by any chance related?

To defuse the technique a network operator can set a router to
block ICMP messages from particular IP addresses, or to block all
ICMP packets. Of course, doing so breaks any programs that rely on
ICMP. Another fix is not to broadcast incoming Pings, but simply
to echo or absorb them, effectively denying an attacker any ampli-

[1] http://www.tbtf.com/archive/11-12-96.html
[2] http://www.tbtf.com/archive/09-23-96.html
[3] http://www.mfsdatanet.com:80/MAE/east.giga.970712.html
[4] http://www.mfsdatanet.com:80/MAE/east.giga.overlay.html

..A meeting on domain names

Last week all sides in the domain naming fracas met and talked in
Washington, DC, at the two-day Forum on Internet Domain Names, con-
vened by the CDT, ITAA, and ISA. Attendees included:

- (US government) Commerce, FTC, PTO

- (international) WIPO, ITU

- (IAHC/POC) Internet Society, Internet Mail Society

- (domain naming) Network Solutions, Inc.

- (others) AOL, Netscape, IBM, AT&T, Digital, Bell

Internet Week reports [5] a conciliatory tone from both NSI and the
Policy Oversight Committee, the group charged with carrying out the
IAHC/gTLD-MoU process. ZDnet [6] reaches no particular conclusions.
Wired [7] reports that a broad concensus emerged around the IAHC
plan with continued participation by NSI. One of the participants
disputes this interpretation. Dave Crocker <dcrocker@branenberg.com>,
a member of the original IAHC, said:

> I saw much discussion but there was no basis for asserting
> any particular consensus or lack of it. The event was dis-
> tinctive by having brought the major players to the same
> table, for an open airing of views. The opening statements
> were taken by many to suggest a convergence of positions,
> primarily due to NSI's indicating a willingness to share
> .com (when it feels that the new system is reliable enough.)
> In fact, NSI has made similar statements over a number of
> months. What continues to be lacking is any real action by
> NSI to participate directly, though there is some indication
> that is about to change.

See [8] for a summary of TBTF coverage of the developments in domain

[5] http://www4.zdnet.com/intweek/daily/970801b.html
[6] http://www5.zdnet.com/zdnn/content/zdnn/0801/zdnn0005.html
[7] http://www.wired.com/news/news/politics/story/5699.html
[8] http://www.tbtf.com/resource/domain-name-hist.html

..Four horsemen not riding yet

Dorothy Denning and William Baugh have completed their study of the
impact of strong crypto on law enforcement (see TBTF for 3/21/97
[9] and [10]). The full study, titled "Encryption and Evolving Technologies
as Tools of Organized Crime and Terrorism," is to be published by
the National Strategy Information Center. An excerpt [10] from the
introduction is posted on Denning's site. This news.com coverage [11]
focuses on the study's finding that encryption has not noticably im-
peded any criminal investigations thus far; the story's hook is an
apparent softening of the positions of these two long-time propo-
nents of key escrow. No such softening is evident in the excerpt [10],
which states: "Our central claim is that the impact of encryption on
crime and terrorism is at its early stages."

[9] http://www.tbtf.com/archive/03-21-97.html
[10] http://www.tbtf.com/resource/horseman-arms.html
[11] http://guru.cosc.georgetown.edu/~denning/crypto/oc-abs.html
[12] http://www.news.com/News/Item/0%2C4%2C13000%2C00.html

..An alliance against free software (?) stumbles

On 7/17 Phil Agre's Red Rock Eater News Service carried a note from
Bruce Perens <bruce@pixar.com>, chairman of Software in the Public
Interest [13], a nonprofit group that supports the Debian GNU/Linux
free OS environment. The note called attention to the industry con-
sortium I2O SIG [14], whose members, including Microsoft and Intel,
are developing a next-generation intelligent I/O bus. "It looks as
if the I2O SIG agreements are deliberately written to exclude free
software," said Perens. Indeed, the consortium's ground rules for-
bid the use of the I2O spec to any non-member -- a $5,000 barrier --
and existing members can veto proposed new applicants. Wired picked
up the story [15] on 7/21 and published a URL from which hundreds
of people around the world downloaded the secret I2O specs in PDF
format. I2O quietly removed the offending material, but after this
breach the consortium will have a difficult time enforcing any non-
disclosure agreements.

[13] http://www.debian.org/social_contract.html
[14] http://www.i2osig.org/
[15] http://www.wired.com/news/news/technology/story/5343.html

..Separated at birth

Jeffrey Harrow's <harrow@mail.dec.com> Rapidly Changing Face of Com-
puting [16] covers territory familiar to readers of TBTF -- new Web
services, industry trends, technology news that catches the editors's
eye -- and often in greater depth. For example, last week I wrote 100
words about Alexa [17] and Harrow wrote 1000. RCFoC aims to provide
"pragmatic, unbiased insight, analysis, and commentary on contemporary
computing innovations and trends"; the viewpoint isn't Digital-centric
although the corporation underwrites its production and hosts its site.
(This has drawbacks: for example RCFoC's Search button takes you to
Digital's main search page with no option to restrict the search only
to RCFoC.) The newsletter is published every Monday by email and Web
(sound familiar?). And you can listen to issues via "RCFoC Radio"
using VOXWare streaming audio. I can't vouch for the VOXware, having
long ago succumbed to NAPI syndrome -- not another plug-in. Joe Bob
says check it out [18].

[16] http://www.digital.com/rcfoc/
[17] http://www.alexa.com/
[18] http://blkbox.com/joebob.html

..What's French for "buggy?"

The Be site features a tour of the high points of the fledgling op-
erating system [19]. Be's president M. Gasse being of the French
persuasion, it is perhaps unsurprising to find a dramatic dialog
in French captured in a screen shot's amber [20]. It appears to be
a conversation between a QA staffer and a development engineer; if
it's not genuine it's compellingly crafted. Here is the best collo-
quial translation I can manage, with the help of informant Tim Gil-
bert <gilbert@marin.cc.ca.us> and several co-workers far more con-
versant than I with la belle langue.

[QA] The splash screen: on the BeBox the background is red,
here it's blue -- is that normal?

[Eng] Yes... the BeOS 32-bit-to-8-bit color conversion is buggy
on the PowerMac.

[QA] What will [the indicator?] be during connection?

[Eng] Nothing -- it registers only during a transfer.

[QA] It always crashes on connecting to Polytechnic. [frowney]
On StartFTP -- a ReadFault error.

[Eng] Ouch.

[QA] I expect you're going to do a port to X...? [smiley]

[Eng] That's where we'll find the problem.

[QA] So, I get to test the crashing problem all over again from
square one...

[19] http://www.be.com/products/beos_tour/
[20] http://www.be.com/products/beos_tour/tour_images/MailIt.gif

..The dreaded backhoe

The recent and continuing rash of backhoe attacks on backbone fiber
[21] has stimulated ongoing commentary on network mailing lists
about this modern incarnation of an ancient rivalry. (Think Swords
vs. Sorcery.) A page titled "The Backhoe, natural enemy of the Net-
work Administrator" [22] offers a skewed look at the conflict, with
pictures of the extremes of the ungainly yellow species [23], [24]
and research on the possibility of developing "stealth" technology
for fiber cables that renders them invisible to the predators [25].

A side note: our British cousins know the backhoe as a "JCB." This
opaque usage was explicated on a network administrators' mailing

> [JCB is] literally "Joseph Charles Bamford," whose company
> [26], nestled in the Staffordshire countryside near a place
> called Rocester ("Rowster" for those unfamiliar with the
> vaguaries of English pronunciation), produces swarms of
> bright yellow "diggers" for use the world over.

The JCB company calls them "backhoes."

[21] http://www.tbtf.com/archive/07-21-97.html#s01
[22] http://www.23.com/backhoe/
[24] http://www.bham.net/mining/
[25] http://www.23.com/backhoe/research.html
[26] http://www.jcb.co.uk/

N o t e s

> Today's TBTF title is loosely adapted from the first novel [27]
in the Brother Cadfael series of medieval mysteries, by Edith
Parteger (writing as Ellis Peters).

[27] http://www.amazon.com/exec/obidos/ISBN=0446400157/1189-2252884-311062

S o u r c e s

> For a complete list of TBTF's (mostly email) sources, see
< http://www.tbtf.com/sources.html >.

> Red Rock Eater News Service -- mail rre-request@weber.ucsd.edu
without subject and with message: subscribe . Archive at
< http://communication.ucsd.edu/pagre/archive_help.html >
(email-based). Web home at
< http://communication.ucsd.edu/pagre/rre.html >.

TBTF home and archive at < http://www.tbtf.com/ >. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF
is Copyright 1994-1997 by Keith Dawson, <dawson@world.std.com>.
Commercial use prohibited. For non-commercial purposes please
forward, post, and link as you see fit.
Keith Dawson dawson@world.std.com
Layer of ash separates morning and evening milk.

Version: 2.6.2, by FileCrypt 1.0