Seth's Rant for March 1, 2000

Who is Really Responsible for the DoS Attacks?

The Problem

Once again we have a round of Internet problems and our ever diligent government is looking for someone to blame. The FBI is conducting a massive manhunt, which has now sunk to the level of tracking down every person with a suspect user name. Most likely they will never find who did this and they certainly could never prove anything in court. The reason lies in the nature of the attack: Denial of Service.

Unlike a break-in attempt, a DoS attack seeks only disrupt a target machine, not access any of it's information or other resources. Thus the attacker only needs to send data to the target machine, he doesn't need to get any back. So, to prevent the attack from being traced, the attacker can insert a fake source address into the offending packets. A single malicious packet arriving at a network node won't do much: without a valid return address, no data connection can be established and the packet is eventually ignored. The key word is eventually: in the meantime, some small amount of the node's resources are used processing and keeping track of the packet. Send thousands of packets packets per second, and now you are talking about serious resource squandering and a disruption of service to legitimate traffic.

The Reason

So, why does this happen? The obvious answer is that some bad person out there did it. But the real question should be, "Why is this possible?" The answer is ignorance and a lack of responsibility.

Every router on the Internet is capable of squelching faked source addresses and thus preventing attackers from hiding their location. (There are other ways to hide, but they aren't nearly as effective as source spoofing.) But by default this option is turned off. Cisco claims this is because of performance concerns. They claim that the CPU time needed to check that the source network of an outgoing packet matches one of those serviced by the router would increase processing overhead by as much as 30%.

First, let me express my opinion that this is bullshit. Small routers generally only have one or two uplinks and service a single local network. The check would be insignificant compared to the time it takes just to move the packet from one interface to another. Large routers have to compare the destination address to a table of dozens, if not thousands, of networks to find the right uplink. Adding a check of the few possible source addresses is again miniscule. The only place where checking would be a significant burden would be on backbone routers where the number of possible source networks is large. But if the local routers would do their jobs, checking on the backbone would not be necessary.

The real reason that Cisco doesn't want to ship routers that default to source checking is economics: DoS attacks don't cost them anything but making router configuration even slightly more complicated does. The average person installing a router has no clue how it works or how to configure it. Turning on source quelching would add to the configuration requirements, which means more tech support calls and more costs for Cisco.

Like most Internet security issues, the real problem is that the people responsible for keeping the Internet secure, the system administrators and their employers, are not doing their jobs. Everyone would benefit if everyone properly configured their networks to be safe and secure. But even high profile targets like government agencies and e-commerce sites have been unwilling to expend the necessary effort to ensure security. Sources like ISPs simply perceive no incentive to be secure.

The Solution

There needs to be limited liability for being the source of an attack. Adminstrators or companies which don't show due diligence for preventing themselves from sourcing an attack, should be held partially responsible for the consequences of the attack. If an auto manufacturer makes a mistake that results in accidents and injuries, they can be sued for damages. If a property owner fails to prune a tree and it falls on a neighbor's house, the owner is held responsible. If any individual knowingly fails to perform their job in such a way that prevents injury or damage, they and their employer are normally held responsible for the consequences. So why are network administrators and ISPs any different?

The vast majority of problems on the Internet are caused by ignorance. Maybe we need some incentive to force individuals and companies to pull their heads out of their asses and pay attention to what they are doing.

Here a few references for more information about this issue:

This rant solely reflects the opinion of the author, probably while he was half asleep, drunk, or otherwise incapacitated. It does not necessarily reflect the actual opinion of DEI, it's associates, or possibly the author in a more concious state. Hate mail will be prosecuted. Constructive criticism may be posted or ignored. Have a nice day.

Seth B. Noble - Rant - sbnoble - March 1, 2000