A modest proposal

Wed Sep 18 04:16:15 UTC 1996

> Currently, anyone can program their computer to repeatedly dial a 
> given business phone line and fill up a company's inbound phone lines,
> making a denial of service attack.  Why isn't the phone system about
> to die because of it?
> 
> The phone company keeps a record of every incoming and outgoing call
> on every line, and performs all sorts of analysis on time of day and
> carrier, and who gets paid for it.  I think that 50% of the cost of
> providing phone service is the accounting and billing.  However, anytime
> one has a problem with obscene callers, war dialers, etc, you call
> the police and bingo, the men in blue are knocking on the door of the
> perpetrator.  The caller could dial from a payphone, etc, but what 
> you've essentially done is make it more dangerous/expensive to conduct
> this activity than what it is worth.   People that do this sort of
> activity are usually cowards, because they're not bold enough to
> park a truck bomb outside the object of their hatred.  Up the ante,
> and they're out of the game.
> 
> I've been following some of the activity on various IP accounting
> schemes and the size of those nifty matrices, but frankly, ISPs need
> to spend the money to make this a reality and keep accounting data
> for at least several days or a week.  
> 
> Now I'm a systems guy rather than a router guy,
> so I'm not going to even propose that this take place in the router
> or somebody will be lecturing me about silicon switched route
> processors or something similar.  I used to do it with ip accounting
> on a cisco and perl scripts to yank the information off.  This is
> still a reasonable approach for small sites.  It seems to me that a 
> good workstation setup for accounting on the segments attached to the 
> interexchange points could do all of this adequately.  You'd need a 
> good freeware software package and preferably a web interface that 
> could be accessed by the right people at the right time.  The web
> interface would take 10 times as long to write as the collection
> software.  Once a few of the large carriers make this a prequisite for
> peering, it would be widespread.

Unfortunately, it's currently harder to do this from a workstation (at
least all that I've seen) than it is from a router.  I've yet to see a
w/s that'll sniff at better than 4-5K pps sustained, and that's not even
accounting for disk I/O and other issues.  If someone knows of a w/s
that can do this at pps rates in excess of 40,000 pps (even better,
100,000 pps so I don't have to search yet again next year), that won't
cost me 4 mortgages, I'd love to hear about it.  The only thing I've
seen that'll do this to date is the oc3mon stuff, and that currently
only works for OC-3 fiber.  I'm not so much interested in actually
deploying such boxes all over the network, but they sure would be nice
to have at hand.

I hate to say it (particularly since it's been said over and over,
recently by Curtis), but I think the best bet for doing this is a hook
in the forwarding code on the routers to capture X bytes of 1:N packets,
aggregate a handful of them in memory, then shove them out a private
interface.  N of 1 would be nice, as would X of a large enough value to
hold IP and TCP headers, IP options, and the link encapsulation (128
makes a nice word-boundary value and is what we used on the NSFNET) but
I could probably live with N of 50 (again what we used in the NSFNET
days, and I traced two SYN floods a few months ago w/ only 1:50 sampling
even though very few packets were sent according to the site; they were
running tcpdump... unfortunately, the folks owning the peer at the
border I tracked it to were unable to help me track it further since
they didn't have access to this kind of data).

Daniel
~~~~~~