Several months ago I wrote an article to highlight the frustration I feel at Network Administrators who ignore, or are ignorant of, people who are using their network resources to commit what are effectively illegal acts.
The article was largely ignored.
Even now, I'm still seeing infected Windows boxes probing the outside of my firewall and so I thought I'd re-post the article here for your consideration.
My daytime job is as a Systems Administrator for a small, but moderately busy network. I oversee all the day to day running of the network and maintenance thereof. You name it, if it's to do with running a network, I've probably done it this week. Make sure "Dealing with kiddies" is on the list too.
Kiddies
When I say "kiddie", I'm usually referring to what's better known as a "script kiddie". An amateur cracker wannabe who fires off prepackaged attack programs at usually innocent machines on the Internet in the hope that some unwary Systems Administrator hasn't heard about that particular exploit yet. These are the people I ultimately hope to foil with KiddieNet. KiddieNet will be not be aimed directly at the kiddies themselves, rather the SysAdmins who make it easy to do what is, afterall, largely an illegal act. I'm talking, of course, about my colleagues around the world, and ISPs who feel that kiddies are not their problem.
Sorry, ladies and gentlemen, you're just plain wrong. Kiddies are every Internet user's problem.
Scope of the problem
In Internet and corporate terms, the network I run is tiny. Really. One sparsley populated Class C and a small /27, shortly to be merged into the C. As I'm, I hope, pretty security concious, I run various "honey pot" programs, like portsentry, that do no more than listen on various otherwise unused ports and log any connection attempts that occur.
On one machine, in one day, I logged slightly over 18,000 connection attempts. Kiddies, playing.
My response
Usually, if I see only a few anomalous connections to my servers, I largely ignore it. Every now and then however, (5 times today, in fact), the kiddie isn't just being nosy, he or she is actively trying to break into my network. I don't know about you, but I have a problem with that.
My reaction in these cases is to report the illicit activity to the responsible person for that particular network. It's these people that KiddieNet will be aimed straight at.
Blame the admins?
I am, I hope, a responsible Systems Administrator. As part of the whois and RIPE records for the domains I'm responsible for, I include e-mail addresses that point to real mailboxes that are actually checked on a regular basis. The machines on these networks have DNS that works both ways. This makes other people's lives easier because, as has happened to me in the past, when someone, a kiddie, starts abusing my network facilties for their own goals, the people affected have a surefire route to someone who can fix the problem.
Sadly, for many networks, this is simply not the case.
Time and time again, when I've mailed the alleged network owner or responsible person I've had no response, an autoresponder or simply a bounced mail because the information is outdated, inaccurate or, in three cases so far, downright fraudulent. I find this frustrating in the extreme. This is, I hope, where KiddieNet could help.
The proposal
This is not a new idea. It's used with great effect by ORBS (now sadly deceased), RBL (http://www.mail-abuse.org) and other related sites in dealing with open mail relays and known spammers.
Let us create a central database of known networks where there is no meaningful point of contact, or where the point of contact doesn't care, and then let people, network owners, ISPs, Systems Administrators choose not to accept traffic from them. Sounds reasonable? I think so, and it would be a very easy thing to achieve, but, and this is a very big but, it would never work without YOUR support. This is why I've written this - to beg and plead for help.
What's needed?
In the short term, just to get the project off the ground, it needs bandwidth (lots, expect DoS attacks), hosting, a mailing list, a web designer to make it look pretty, the odd perl coder to help me write the backend and a few brave souls willing to help run the thing. In the longer term, most important of all, I'd need the SysAdmins out there to use the damn thing.
The overall project goals would be:
People wishing to use KiddieNet would be given a list of rules for their particular firewall system, ipchains, iptables, Cisco router etc, and by applying these rules, would exclude traffic from the listed networks.
So, am I mad? Is this unreasonable or unfeasable? Or do you have a better idea? Whichever applies, I'd like to hear your view.
First, ORBS and RBL have a definite sensibilization advantage where admins and users both get notified of the reason their e-mail didn't go through, making the users furious toward the right person (the admin with the open relay) and thus hopefully having the effect of pressuring the admin into repairing his system. Your system wouldn't have that.
Second, there are probably enough idiots in the world, including many in network administrators roles, that the tables would be HUGE, maybe even to the point of making them unusable or not fitting in a router memory.
I support the goal of having every IPs to reverse resolve. I would also strongly support the goal of having valid contact information for each networks, but I don't think this is machine-verifiable without getting annoying for the admins.
I do not directly agree with the last goal. Blocking mail coming from open relays (in the cases of ORBS/RBL) is not a goal of the project, it is a mean to attain the real goals (have no open relays). In this particular case, as I first said, blocking those networks would not have much effect other than having my own users yelling at me, complaining as to why they can't access this major web site or whatever, instead of making them (or the users of these admins) complains to the faulty admins.
If there is ever an ICMP "destination network admin is an idiot" reply that Netscape will display appropriately, then blocking with that message would be good. :-)
I see a few problems with this:
1) A lot of attacks (especially scans and DoS) often or easily employ the use of spoffed IP addresses. Hence blocking by source IP is dangerous (ie: I spoof the IP addresses of AOL's proxies and now no AOL users can reach sites using your system. Hence, nobody is going to use this system because everyone wants AOL users to access their site.)
2) Speaking as a security engineer and network admin, there is no freaking way I'd impliment a system that automated dropping of packets on my network. Just too easy to be abused- and it's a lot worse than just blocking email- you're talking about a complete block against IP addresses of potential *customers*.
3) As a previous posted mentioned, the ACL's/IP Chains/IP Tables list would become prohibitively large. Routers have only so much RAM and every ACL has a very small performance hit. However, considering how many entries you're likely to have, you'd see a rather significant performance hit (assuming the routers even have enough memory for the list). The only way you could even try to impliment this was blocking by netblock, but this just increases the effects of problems #1 and #2.
4) Honestly, I agree that ignorant and incompetent sysadmins are a big problem. There is a lot of them out there. Unfortunately, just as big of a problem is overworked sysadmins. And if you go auto-blocking IP space, you've just made their lives a whole lot more difficult which means they're spending less time fixing their systems.
The internet is not a safe place, and people should take the proper steps to protect their systems. Unfortunately, you're not going to see much done other than lipservice. Companies talk the talk, but aren't willing to spend the $$$ to walk the walk. I've seen it time and time again, when companies are willing to make compromises in their security policy "to get things done". And sysadmins are generally very overworked, so they just don't have the time to keep uptodate on every system even if they know better.
The best solution is to be a good neighbor. That means keep your own systems patched and impliment good security practices like egress filtering to prevent spoofed packets.
As aturner pointed out, this is a really bad idea. He mentioned that it would block potential customers. I would generalize that statement and say you're degrading the power of the Internet help people communicate. By blocking innocent end-users, you would break the point-to-point connectivity of the Internet. This is much worse than either of the problems you are trying to solve (bad reverse-DNS records and bad whois contact info). It's also worse than most security problems. A DDoS is bad, but the long-term lopping off of large parts of the Internet is worse.
Of course, the idea is that people will protest to their sysadmins, and their sysadmins will fix things, making the Internet better than before. I am skeptical that this idea will bear out in practice. There are plenty of ghettos of bad administration on the Internet: public schools, developing countries where resources are scarce and English is not widely understood, free ISPs, et cetera. I don't think cutting off the neediest people is a good approach.
To be concrete, consider the case of China, where there is relatively little network admin expertise, but where widely available technology and free communication would be a great boon. Blackholing most of China probably won't convince anyone to administer it better. It will merely help to isolate an already oppressed people.
All that said, I understand your frustration. It sucks to be the one
person who cares about doing things right in a sea of clueless,
apathetic, or even malicious others. As I see it, this is one of the
great problems of life in general. I don't know what to do about it,
except to be virtuous and upstanding yourself and gently try to edify
others.
--Q
PS: I suspect the reason you are getting so little response to this proposal is that most people find it totally wrongheaded from start to finish. Rather than tell you so, which seems rude and unlikely to convince you, they silently dismiss it: "If you don't have anything nice to say, don't say anything." I've seen this behavior before.
Instead of doing this on the router level, why not do it at the browser level? Or, actuallly, have a general library for looking this stuff up. That way, you could have a Netscape plugin that would flash "This Network is Run By a TOTAL LUSER!" whenever you hit a given netblock, and it would have whatever information is available. If it's a library, you could link that into email, news, maillists, or whatever program someone wanted to add such information to. In fact, maybe a general "Consumer Advocate" library is what is needed, that could alert you to all sorts of things.
Heh, nice to get honest response.
I wonder, however, if the general attitude would be the same with a real world example: If you saw a male adolescent walking down your street trying the doors to all the houses and cars, would you say "Everybody has this problem and there's nothing worth doing about it" or would you call the police because it might be your house next?
And, yes, a netscape/Mozilla plugin for this would be fantastic, any volunteers? :)
MartBrooks wrote:
I wonder, however, if the general attitude would be the same with a real world example: If you saw a male adolescent walking down your street trying the doors to all the houses and cars, would you say "Everybody has this problem and there's nothing worth doing about it" or would you call the police because it might be your house next?
I think the difference is that calling the police doesn't cause any inconvenience for innocent people.
I can understand your frustration, though.
Undoubtly, the idea sounds very nice. It has IMHO one major drawback: Once it's established and running, it's immediatly doomed.
Let me point out this scenario: The list exists, is able to block single IP's, and enough (that's "practically all") networks/ISP's use it. What would happen?
Since you don't want that, you'll need some kind of organization to maintain list entries. I for one would expect that this organization will be sued by everyone until it gives up. At that point, the list will contain mostly "political" stuff, so nobody will use it anymore.
Basically you asked for a mechanism to control and censor the whole net to get rid of script kiddies - that will not work.
P.S.: I used the two Nazi-blocking examples because they were right in my head. That doesn't mean I like nazi sites. I'd be very happy if all those sites and their customers would get dumped into some ocean. Just to avoid false assumptions - I spoke principles.
Every networked computer system has potential vulnerabilities. The more
accessible it is, the more it is susceptible to attack. Connecting to a
network such as the Internet makes it potentially accessible to
everyone on the network.
Firewalls
A firewall is a security configuration that includes both hardware and
software to protect a network from inappropriate outside access.
Routing and remote access firewall software acts as a packet filter for
our internal network to keep out unwanted connections. Packet filtering
is a firewall capability that lets you control which packets pass
through your network interfaces. Controlling access to a network by
analysing the incoming and outgoing packets.
For a firewall to be effective, all traffic to and from the Internet
must pass through the firewall, where it can be inspected. The firewall
must permit only authorized traffic to pass, and the firewall itself
must be immune to penetration. Unfortunately, a firewall system cannot
offer any protection once an attacker has gotten through or around the
firewall.
It is important to note that an Internet firewall is
not just a router,
a bastion host, or a combination of devices that provides security for
a network.
While in theory firewalls allow only authorised
communications between
the internal and external networks, new ways are constantly being
developed to compromise these systems.
IP
spoofing
IP spoofing is when an attacker masquerades his machine
as a host on a
network fooling a target machine that packets are coming from a trusted
machine on the internal network. Most systems encompass packet routing
authentication via a firewall and proxy servers in order to hide
internal IP addresses from external users, thus making it more
difficult for this technique to be used by an intruder attempting to
gain access to the system.
Source Routing Attacks
In a source routing attack, the source station specifies the route that
a packet should take as it crosses the Internet. This type of attack is
designed to bypass security measures and cause the packet to follow an
unexpected path to its destination. Simply discarding all packets that
contain the source route option can defeat a source routing
attack.
Tiny Fragment Attacks
For this type of attack,
the intruder uses the IP fragmentation feature
to create extremely small fragments and force the TCP header
information into a separate packet fragment. Tiny fragment attacks are
designed to circumvent user-defined filtering rules; the hacker hopes
that a filtering router will examine only the first fragment and allows
all other fragments to pass. A tiny fragment attack can be defeated by
discarding all packets where the protocol.
"Good people do not need laws to tell them to act
responsibly, while
bad people will find a way around the laws."
- Plato
New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.
Keep up with the latest Advogato features by reading the Advogato status blog.
If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!
del.icio.us
Digg
Google bookmark
reddit
Simpy
StumbleUpon
Furl
Newsvine
Technorati
Tailrank