The Smurf Relay List

Hello Everyone

The Jerky.Net smurf relay list was closed on Friday July 31st.  The
original document contained a list of networks susceptible to the "smurf"
and "fraggle" broadcast amplification attacks.  On the 31st I received a
phone call from a very large national Internet Service Provider.  I'm not
going to disclose the companys name for fear that their money may be able
to persuade a judge that I am guilty of their allegations.  The company
alleged that my posting of vulnerable network blocks was causing the
networks to get attacked.

The Jerky.Net smurf relay list was created to serve as a tool in network
denial of service attack prevention.  I created a simple tool that would
sniff my local network for suspected attacks.  Once an attack started it
would then log all the netblocks used.  Then using the "whois" tool and
ARIN network number assignment database, it would find the appropriate
contact for the network involved and email them a form letter describing
the problem and asking them to fix it.  Then the network would be added to
the smurf relay list.  Upon notification that the problem was fixed the
network would be removed from the list.  The network numbers that appeared
on this list were in no way discovered by "probes" or anonymous tips.
They were all part of attacks on the Jerky.Net network and services.
Simply enough, If the attacks didn't occur you wouldn't be on the list.

On the whole the responses from my emails were good.  I suceeded in
getting about 500 relay sites to fix their routers or at least look into
the problem.  However, the response wasn't nearly what I expected.  Of the
people who responded about 50% said something like "ooops we missed a
router...its now fixed".  They then asked me to verify the fix which I
happily did for no monetary compensation.  The other 50% sent back abusive
emails warning me that such probes are illegal and that I was attacking
their network.  Keep in mind that all these addresses were found after
they were used in attacks on my network.  There was never any probing or
any attacks sourced from my network.  Since my goal is to stop the attacks
I even responded to the abuse email with quotes from CERT advisories and
the like.  I was even informed by one gentleman that I was being flamed
on the NANOG mailinglist.  I think its too funny that the people sending
the flame emails are the ones running the screwed up networks.

The exchange of letters related to this really drove home the problems on
the Internet.  Rather than thanking me for alerting them to a problem, I
was being bombarded with threatening emails with bodies as simple as "fuck
you" all the way up to potential legal action notices.  As a network
administrator I have always pride myself for having a full range of
knowledge of almost all network attack methods and symptoms.  Since my
network knowledge was all self taught I have expected the same degree of
knowledge from more formally educated net admins.  Needless to say I was
very mistaken in my assumption.  Not only are their poor admins out on the
net, but they are operating large network facilities.  Some of the
people I contacted were senior net admins, with more than a decade of
experience, for large government research labs.  To put this in focus the
one alerting them to the problems is me, basically a 22 year old self
taught UNIX guru.  I can understand that someone might not know all the
tricks out on the net, but to be so arrogant that you send back an abusive
email without even reviewing your router configs is completely
irresponsable and unprofessional.

Rather than focus on broadcast attacks I want to take a step back and look
at the entire Internet.  The attitudes that I saw in my correspondences
are evidence of a huge problem on the net.  Currently net/unix admins are
in a huge demand as the Internet continues to grow.  As a result,
positions are being filled with less than qualified people, or people with
such dated knowledge they think an old PC XT is cutting edge.  Since many
of these people are poorly trained and lack good network skills they
identify the wrong activity as abusive while trully abusive behavior goes
untraced and unpunished.  As an example, If I report a case of network
denial of service to my upstream the best I can get done is a temporary
filter.  Its like pulling teeth to get them to start a router trace to
find the original spoofed source.  Now lets say one of my users happens to
send out some SPAM.  Typically I notice this right away and axe the
account.  However, my upstream receives onw SPAM abuse email and you would
think the world was coming to an end.  Keep in mind that denial of service
attacks are in all ways a felony where SPAM isn't even illegal (except in
Washington).  So why exactly is it that an activity that isn't even
clearly illegal gets more attention then something that is screaming
illegal.

A secondary problem of the poor training of most network admins is
paranoia.  Unlike most admins I don't care if someone scans my network.
They can scan it up, down, left, right until hell freezes over.  You see
I'm confidant in my skills as an admin to fend of attacks.  The new
attitude among net admins is that even a single packet probe is wrong and
should be treated as hostile activity.  In some respects I agree.  The
person is scanning the network looking for flaws.  However, rather than
get all worked up about the scan maybe you should look to see if all your
machines are locked down and secure against the attack the person is
scanning for.  Even more alarming is when I, by chance, notice a problem
on someones network, and rather than getting praised for alerting them to
the problem I get chastised and threatened with legal action.  Maybe I'm
being to helpful, maybe I should just let people run insecure networks.
Like it or not a problem with someone elses network will usually have a
major effect on another persons network.  I realise that no network is
secure, and I do from time to time find hacked user accounts on some of my
boxes.  Rather than freak out and rm -r the directory I try to talk to the
hacker.  Its something all of you should try.  If you understand your
"enemy" then you will be better able to deal with them.  Also, take the
time to look at the tools they use and the methods employed.  This
strategy is similar to those documented in the paper "An evening with
Buford" (if i remember right).  Essentially the author caught an attacker
and rather than remove him, he set a trap.  He setup a secure virtual
system which allowed him to watch and follow the attacker while keeping
the attacker isolated from the rest of the system.

I know there are other netadmins out there who think I'm crazy and will
call me unprofessional.  They look at my web pages and see the bartending
guides and the word "fuck" on my pages.  Rather than judge my skill by the
language I use or the beverages I drink perhaps you should actually listen
to the statement I'm trying to make.  Like it or not the broadcast
amplification attacks effect much more than my network.  It congests and
sucks up bandwidth along the entire route of the attack and generally
degrades the performance of the net.