Tracking cooperation (Re: Government scrutiny is headed our way)

Sun Jun 21 00:41:00 UTC 1998

>Would you and other operators be willing to modify peering agreements 
>to include serious fines for running a smurf amplifier or allowing 
>packets with bogus source addresses to enter the system?

See my previous rant about providers barely honoring existing agreements.
I don't see the point in adding things that are going to be ignored.

>Tracking back bogus source addresses seems hard.  Would fines on 
>smurf amplifiers be good enough to fix the smurf problem?  Or do 
>we need to catch a smurfer to use as an example?

In reality this isn't a problem unique to the Internet industry.  Every
type of carrier (trucking, railroad, telephone, financial etc) has the
same problem of tracking things.  And in every case it is, and I suspect,
always will be a difficult problem anytime the package is tranferred
between multiple carriers.  It barely works when everything works
correctly.  Tracing false information is done only when the loss is
greater the cost of trying to track it down.  Even the financial
industry has found it in their interest to ignore a great number of
things below a certain threshold.  Identity fraud is a good example.
It may cost the individual a great deal of time and effort to track
down someone fraudlently using their identity, but for most financial
institutions it is an inmaterial amount.

>Currently, NOCs don't have much financial interest in tracking down 
>a smurfer. 

Yes and no.  The NOCs have a great deal of potential liability, but
in most cases take the gamble nothing will happen if they ignore it.
Think of it as a reverse lottery.  There is a one-in-a-trillion chance
you might have a billion dollar liability, but think of all the one
dollar trouble tickets you saved by doing nothing.

>One possibility might be to offer a reward to the NOC that gets the 
>evidence on the first smurfer to get tossed in jail or fined more 
>than $100K.

Who is going to put up the money?  Even for CALEA the government is
putting up a rather trivial amount of money, relying instead on the
big stick of huge fines for non-compliance.

>Another might be to setup peering contracts that encourage ISPs/NSPs 
>to track down smurfers.

See above.

>I can't quite come up with the right thing to suggest.  Everything 
>I think of has too many possibilities for gaming. 

In other industries the solution has been to require a police report.
Not because the police wil do anything, but because filing a false
police report is a felony just about everywhere.  Filing a false
trouble ticket isn't.  The problem is most police won't make a report
unless it is clear a crime has been comitted.  Breach of contract is
not a crime, but fraud is.

>Do smurf attacks always happen late at night and on weekends?

Smurfs tend to be highly correlated with activity on IRC.  Peak IRC
activity happens at night and on weekends.  However it should be pointed
out this is just a correlation, not a cause and effect.  I suspect, but
have no proof, that smurfs patterns tend to follow your typical criminal
patterns, and happen during peak ISP hours 6pm to 11pm.  Unlike more
typical cracking activities, I don't see the same out-of-phase pattern
of smurfs.

>Would major NSPs be willing to setup a smurf hotline so trusted smart 
>people, like Karl, could bypass the first several layers of screening 
>and get the data to the right person fast? 

What an excellent idea!

-- 
Sean Donelan, Data Research Associates, Inc, St. Louis, MO
  Affiliation given for identification not representation