KiddieNet - a last line of defence?
Posted 18 Nov 2001 at 17:50 UTC by MartBrooks
Several months ago I wrote an article to highlight the frustration I
feel at Network Administrators who ignore, or are ignorant of, people
who are using their network resources to commit what are effectively
illegal acts.
The article was largely ignored.
Even now, I'm still seeing infected Windows boxes probing the outside
of my firewall and so I thought I'd re-post the article here for your
consideration.
What's KiddieNet about?
My daytime job is as a Systems Administrator for a small, but
moderately busy network. I oversee all the day to day running of the
network and maintenance thereof. You name it, if it's to do with
running a network, I've probably done it this week. Make sure "Dealing
with kiddies" is on the list too.
Kiddies
When I say "kiddie", I'm usually referring to what's better known as
a "script kiddie". An amateur cracker wannabe who fires off prepackaged
attack programs at usually innocent machines on the Internet in the
hope that some unwary Systems Administrator hasn't heard about that
particular exploit yet. These are the people I ultimately hope to foil
with KiddieNet.
KiddieNet will be not be aimed directly at the kiddies themselves,
rather the SysAdmins who make it easy to do what is, afterall, largely
an illegal act. I'm talking, of course, about my colleagues around the
world, and ISPs who feel that kiddies are not their problem.
Sorry, ladies and gentlemen, you're just plain wrong. Kiddies are every
Internet user's problem.
Scope of the problem
In Internet and corporate terms, the network I run is tiny. Really. One
sparsley populated Class C and a small /27, shortly to be merged into
the C. As I'm, I hope, pretty security concious, I run various "honey
pot" programs, like portsentry, that do no more than listen on various
otherwise unused ports and log any connection attempts that occur.
On one machine, in one day, I logged slightly over 18,000 connection
attempts. Kiddies, playing.
My response
Usually, if I see only a few anomalous connections to my servers, I
largely ignore it. Every now and then however, (5 times today, in
fact), the kiddie isn't just being nosy, he or she is actively trying
to break into my network. I don't know about you, but I have a problem
with that.
My reaction in these cases is to report the illicit activity to the
responsible person for that particular network. It's these people that
KiddieNet will be aimed straight at.
Blame the admins?
I am, I hope, a responsible Systems Administrator. As part of the whois
and RIPE records for the domains I'm responsible for, I include e-mail
addresses that point to real mailboxes that are actually checked on a
regular basis. The machines on these networks have DNS that works both
ways. This makes other people's lives easier because, as has happened
to me in the past, when someone, a kiddie, starts abusing my network
facilties for their own goals, the people affected have a surefire
route to someone who can fix the problem.
Sadly, for many networks, this is simply not the case.
Time and time again, when I've mailed the alleged network owner or
responsible person I've had no response, an autoresponder or simply a
bounced mail because the information is outdated, inaccurate or, in
three cases so far, downright fraudulent. I find this frustrating in
the extreme. This is, I hope, where KiddieNet could help.
The proposal
This is not a new idea. It's used with great effect by ORBS (now sadly
deceased), RBL (http://www.mail-abuse.org) and other related sites in
dealing with open mail relays and known spammers.
Let us create a central database of known networks where there is no
meaningful point of contact, or where the point of contact doesn't
care, and then let people, network owners, ISPs, Systems Administrators
choose not to accept traffic from them.
Sounds reasonable? I think so, and it would be a very easy thing to
achieve, but, and this is a very big but, it would never work without
YOUR support. This is why I've written this - to beg and plead for help.
What's needed?
In the short term, just to get the project off the ground, it needs
bandwidth (lots, expect DoS attacks), hosting, a mailing list, a web
designer to make it look pretty, the odd perl coder to help me write
the backend and a few brave souls willing to help run the thing. In the
longer term, most important of all, I'd need the SysAdmins out there to
use the damn thing.
The overall project goals would be:
- To get every IP on the planet to reverse resolve.
- To get a valid human point of contact for each subnet.
- To allow anyone who chooses to block networks that don't comply.
People wishing to use KiddieNet would be given a list of rules for
their particular firewall system, ipchains, iptables, Cisco router etc,
and by applying these rules, would exclude traffic from the listed
networks.
So, am I mad? Is this unreasonable or unfeasable? Or do you have a
better idea? Whichever applies, I'd like to hear your view.
Two things, posted 18 Nov 2001 at 21:30 UTC by pphaneuf »
(Journeyer)
First, ORBS and RBL have a definite sensibilization advantage where
admins and users both get notified of the reason their e-mail didn't go
through, making the users furious toward the right person (the admin
with the open relay) and thus hopefully having the effect of pressuring
the admin into repairing his system. Your system wouldn't have that.
Second, there are probably enough idiots in the world, including many in
network administrators roles, that the tables would be HUGE, maybe even
to the point of making them unusable or not fitting in a router memory.
I support the goal of having every IPs to reverse resolve. I would also
strongly support the goal of having valid contact information for each
networks, but I don't think this is machine-verifiable without getting
annoying for the admins.
I do not directly agree with the last goal. Blocking mail coming from
open relays (in the cases of ORBS/RBL) is not a goal of the project, it
is a mean to attain the real goals (have no open relays). In this
particular case, as I first said, blocking those networks would not have
much effect other than having my own users yelling at me, complaining as
to why they can't access this major web site or whatever, instead of
making them (or the users of these admins) complains to the faulty
admins.
If there is ever an ICMP "destination network admin is an idiot" reply
that Netscape will display appropriately, then blocking with that
message would be good. :-)
I see a few problems with this:
1) A lot of attacks (especially scans and DoS) often or easily employ
the use of spoffed IP addresses. Hence blocking by source IP is
dangerous (ie: I spoof the IP addresses of AOL's proxies and now no AOL
users can reach sites using your system. Hence, nobody is going to use
this system because everyone wants AOL users to access their site.)
2) Speaking as a security engineer and network admin, there is no
freaking way I'd impliment a system that automated dropping of packets
on my network. Just too easy to be abused- and it's a lot worse than
just blocking email- you're talking about a complete block against IP
addresses of potential *customers*.
3) As a previous posted mentioned, the ACL's/IP Chains/IP Tables list
would become prohibitively large. Routers have only so much RAM and
every ACL has a very small performance hit. However, considering how
many entries you're likely to have, you'd see a rather significant
performance hit (assuming the routers even have enough memory for the
list). The only way you could even try to impliment this was blocking
by netblock, but this just increases the effects of problems #1 and #2.
4) Honestly, I agree that ignorant and incompetent sysadmins are a big
problem. There is a lot of them out there. Unfortunately, just as big
of a problem is overworked sysadmins. And if you go auto-blocking IP
space, you've just made their lives a whole lot more difficult which
means they're spending less time fixing their systems.
The internet is not a safe place, and people should take the proper
steps to protect their systems. Unfortunately, you're not going
to see much done other than lipservice. Companies talk the talk, but
aren't willing to spend the $$$ to walk the walk. I've seen it time and
time again, when companies are willing to make compromises in their
security policy "to get things done". And sysadmins are generally very
overworked, so they just don't have the time to keep uptodate on every
system even if they know better.
The best solution is to be a good neighbor. That means keep your own
systems patched and impliment good security practices like egress
filtering to prevent spoofed packets.
As aturner pointed out, this is a really bad idea. He
mentioned that it would block potential customers. I would generalize
that statement and say you're degrading the power of the Internet help
people communicate. By blocking innocent end-users, you would break
the point-to-point connectivity of the Internet. This is much worse
than either of the problems you are trying to solve (bad reverse-DNS
records and bad whois contact info). It's also worse than most
security problems. A DDoS is bad, but the long-term lopping off of
large parts of the Internet is worse.
Of course, the idea is that people will protest to their sysadmins, and
their sysadmins will fix things, making the Internet better than
before. I am skeptical that this idea will bear out in practice.
There are plenty of ghettos of bad administration on the Internet:
public schools, developing countries where resources are scarce and
English is not widely understood, free ISPs, et cetera. I don't think
cutting off the neediest people is a good approach.
To be concrete, consider the case of China, where there is relatively
little network admin expertise, but where widely available technology
and free communication would be a great boon. Blackholing most of
China probably won't convince anyone to administer it better. It will
merely help to isolate an already oppressed people.
All that said, I understand your frustration. It sucks to be the one
person who cares about doing things right in a sea of clueless,
apathetic, or even malicious others. As I see it, this is one of the
great problems of life in general. I don't know what to do about it,
except to be virtuous and upstanding yourself and gently try to edify
others.
--Q
PS: I suspect the reason you are getting so little response to this
proposal is that most people find it totally wrongheaded from start to
finish. Rather than tell you so, which seems rude and unlikely to
convince you, they silently dismiss it: "If you don't have anything
nice to say, don't say anything." I've seen this behavior before.
Instead of doing this on the router level, why not do it at the browser level? Or, actuallly, have a general library for looking this stuff up.
That way, you could have a Netscape plugin that would flash "This Network is Run By a TOTAL LUSER!" whenever you hit a given
netblock, and it would have whatever information is available. If it's a library, you could link that into email, news, maillists, or whatever
program someone wanted to add such information to. In fact, maybe a general "Consumer Advocate" library is what is needed, that could
alert you to all sorts of things.
warnock's dilemma, posted 20 Nov 2001 at 04:30 UTC by ask »
(Master)
Heh, nice to get honest response.
I wonder, however, if the general attitude would be the same with a
real world example: If you saw a male adolescent walking down your
street trying the doors to all the houses and cars, would you
say "Everybody has this problem and there's nothing worth doing about
it" or would you call the police because it might be your house next?
And, yes, a netscape/Mozilla plugin for this would be fantastic, any
volunteers? :)
MartBrooks wrote:
I wonder, however, if the general attitude would be the
same with a real world example: If you saw a male adolescent walking
down your street trying the doors to all the houses and cars, would you
say "Everybody has this problem and there's nothing worth doing about
it" or would you call the police because it might be your house next?
I think the difference is that calling the police doesn't cause any
inconvenience for innocent people.
I can understand your frustration, though.
Invitation for abuse, posted 20 Nov 2001 at 09:12 UTC by ali »
(Apprentice)
Undoubtly, the idea sounds very nice. It has IMHO one major drawback: Once it's established and running, it's immediatly doomed.
Let me point out this scenario: The list exists, is able to block single IP's, and enough (that's "practically all") networks/ISP's use it. What would happen?
- First, Microsofts puts securityfocus' IP's on the list, because the script kiddies can get attack descriptions and scripts from there.
- Then, the french government files a lawsuit, with the result that france uses a localized list including ebay.com (Nazi memorabilies, remember?)
- Then, the german government enforces a localized list including the nazi propaganda hosts in the US.
- Every script kiddy and cracker in this world will start 24/7-attempts to put half the world on the list.
Since you don't want that, you'll need some kind of organization to maintain list entries. I for one would expect that this organization will be sued by everyone until it gives up. At that point, the list will contain mostly "political" stuff, so nobody will use it anymore.
Basically you asked for a mechanism to control and censor the whole net to get rid of script kiddies - that will not work.
P.S.: I used the two Nazi-blocking examples because they were right in my head. That doesn't mean I like nazi sites. I'd be very happy if all those sites and their customers would get dumped into some ocean. Just to avoid false assumptions - I spoke principles.
Every networked computer system has potential vulnerabilities. The more
accessible it is, the more it is susceptible to attack. Connecting to a
network such as the Internet makes it potentially accessible to
everyone on the network.
Firewalls
A firewall is a security configuration that includes both hardware and
software to protect a network from inappropriate outside access.
Routing and remote access firewall software acts as a packet filter for
our internal network to keep out unwanted connections. Packet filtering
is a firewall capability that lets you control which packets pass
through your network interfaces. Controlling access to a network by
analysing the incoming and outgoing packets.
For a firewall to be effective, all traffic to and from the Internet
must pass through the firewall, where it can be inspected. The firewall
must permit only authorized traffic to pass, and the firewall itself
must be immune to penetration. Unfortunately, a firewall system cannot
offer any protection once an attacker has gotten through or around the
firewall.
It is important to note that an Internet firewall is
not just a router,
a bastion host, or a combination of devices that provides security for
a network.
While in theory firewalls allow only authorised
communications between
the internal and external networks, new ways are constantly being
developed to compromise these systems.
IP
spoofing
IP spoofing is when an attacker masquerades his machine
as a host on a
network fooling a target machine that packets are coming from a trusted
machine on the internal network. Most systems encompass packet routing
authentication via a firewall and proxy servers in order to hide
internal IP addresses from external users, thus making it more
difficult for this technique to be used by an intruder attempting to
gain access to the system.
Source Routing Attacks
In a source routing attack, the source station specifies the route that
a packet should take as it crosses the Internet. This type of attack is
designed to bypass security measures and cause the packet to follow an
unexpected path to its destination. Simply discarding all packets that
contain the source route option can defeat a source routing
attack.
Tiny Fragment Attacks
For this type of attack,
the intruder uses the IP fragmentation feature
to create extremely small fragments and force the TCP header
information into a separate packet fragment. Tiny fragment attacks are
designed to circumvent user-defined filtering rules; the hacker hopes
that a filtering router will examine only the first fragment and allows
all other fragments to pass. A tiny fragment attack can be defeated by
discarding all packets where the protocol.
"Good people do not need laws to tell them to act
responsibly, while
bad people will find a way around the laws."
- Plato