The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually...
-
Upload
ralph-green -
Category
Documents
-
view
214 -
download
0
Transcript of The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually...
![Page 1: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/1.jpg)
The MAPS SAL Project
Or, how to encourage people to type “no ip directed”, or to ritually
desecrate their Proteons.
Avi Freedman, Net Access
![Page 2: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/2.jpg)
The Problem (1)• Tens of thousands of networks and subnets
allow directed broadcast.• Thus, pinging to x.y.z.0 or x.y.z.255 can return
a few, or tens or hundreds, of responses.• Combined with forged-source address, it’s
trivial to attack someone you don’t like. A dialup line can generate tens or hundreds of megs of smurf.
![Page 3: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/3.jpg)
The Problem (2)
• This has been the case for many years, but it became a big problem once IRC-weenies figured it out.
• Tracking forged-source is very hard and requires (hi, Sean) intense and quick inter-provider cooperation.
• ISPs get smurfed for having certain dialup users, and then get smurfed if they kick off those same users.
![Page 4: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/4.jpg)
The Traditional Solution
• The traditional solution is to use CAR to rate-limit ICMP to given destination(s), on all border interfaces.– access 155 permit icmp any any– int f0/0/0– rate input acc 155 90000 64000 64000 conf tr exc dr
• or– access 155 permit icmp any 207.106.4.0 0.0.0.255– int f0/0/0– rate input acc 155 90000 64000 64000 conf tr exc dr
• sho int rate shows you the progress...
![Page 5: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/5.jpg)
Traditional Solution, ctd.
• Once you staunch the flow of crud, typically you can monitor the flow to see what smurf “amplifiers” are being used, and try to contact these amplifiers.
• Problem - most of the ones out there either have no contact info, or have rejected fixing the problem already.
• Still, some can be educated.
![Page 6: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/6.jpg)
Still, a Problem
• This helps get useful work done if you have lots of excess capacity to peers and upstreams.
• Unless you pay on a usage basis.
• Some upstreams will help, some won’t.
• Some upstreams can’t feasibly do border-CAR; some just want to charge you.
![Page 7: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/7.jpg)
The Ideal Solution
• The ideal solution would be {for everyone} to install filters to prevent forged IP source addresses from ever being generated!!!!!!!
• Big problem - too much load on wimpy VIP2/50s.
• The SAL project addresses this less directly, both for routers and for hosts.
![Page 8: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/8.jpg)
The Plan (1)
• SAL is distributing a black-hole feed of smurf amplifier nets via BGP.
• Nets can be automagically withdrawn by entering their netblock after fixing their smurfiness.
• People can use it as a BGP RBL, or preferably, to generate host or router filters with code SAL will supply.
![Page 9: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/9.jpg)
The Plan (2)
• The web sites explaining the system will not be behind the SAL BGP feed, so people inside blocked networks can get information and even submit themselves for removal.
• For new smurf amplifiers, attempts will be made to communicate with them and with their upstreams first.
• SAL routes will not be listed publicly.
![Page 10: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/10.jpg)
Our Goal
• The goal is to eliminate smurf amplifiers as a source of difficulty. Single-source UDP or ICMP slams are much easier to track down…
• Short-term, we are seeking to get about 10% of the net using SAL; both web hosters and small and regional ISPs.
![Page 11: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/11.jpg)
How it Works
• We have an online database of smurf amplifiers, with date entered, source, etc…
• That ties into custom BGP code with some of that data represented in communities.
• People participate by eBGP multihop peering with AS XXXX and setting next-hop to loopback. Routes have no-export set.
![Page 12: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/12.jpg)
Operations
• Being run by the fine folks at MAPS.
• Modest fee to the MAPS folks to participate (note: noone will be turned away for monetary reasons.)
• Info requests to [email protected]; user questions to [email protected]; NOC issues to [email protected].
![Page 13: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/13.jpg)
Problems with our Proposal• Some feel it is too punishing of the smurf
amplifiers. Let’s all work towards educating customers, and work with them to fix their configs.
• Major networks can’t adopt it because they serve too many smurf amplifiers. Anyone with a few thousand routes is probably hosting tens of them. We are addressing this by putting advertising ASs into route communities.
![Page 14: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/14.jpg)
Current Status
• An operational site with an operational remove list and an operational feed, but the service is still in alpha, with < 10 sites.
• Still in beta for participation, and are still working on legal documents.
• > 4gb/sec of peak traffic using the service.
• MAPS, with a few individuals as backup, to deal with operational issues.
![Page 15: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/15.jpg)
We’re Looking for...
• Volunteers to assist with communication with smurf amplifiers before they are placed on the black-hole list.
• Sites to use the SAL service, both small and large.
• People to educate their smurf amplifier customers.
![Page 16: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/16.jpg)
We’re Looking for...
• Feedback about smurf amplifiers being used in active smurf attacks.
• Technical and policy feedback.
![Page 17: The MAPS SAL Project Or, how to encourage people to type “ no ip directed ”, or to ritually desecrate their Proteons. Avi Freedman, Net Access.](https://reader036.fdocuments.net/reader036/viewer/2022082713/5697bf8a1a28abf838c8a6e2/html5/thumbnails/17.jpg)
Resources
• http://maps.vix.com/sal/
• http://www.smurfblock.net/
• http://www.netscan.org/