Home page logo

nanog logo nanog mailing list archives

Re: Reporting Little Blue Men
From: "Jordyn A. Buchanan" <jordyn () bestweb net>
Date: Tue, 20 Jan 1998 19:55:04 -0500

At 7:03 PM -0500 1/20/98, Dean Anderson wrote:

You report them to the FBI. See "Firewalls and Internet Security" by
Cheswick and Bellovin, and "Unix System Security" by Curry.

Does that help?  Yes and no.  There are several laws being violated, but
the FBI basically isn't getting involved in the spam wars.  The first
violators were the anti-spammers who put in the blocking. The second
violators were the spammers who use relaying to get around that.
Anti-spammers are illegally intercepting (blocking) electronic
communications, and reading email, and the spammers are illegally exceeding
their authorization to access computers.  The anti-spammers are illegally
preventing access to computers and networks engaged in interstate commerce.
Anti-spammers illegally exceed their authority to cancel usenet messages.
Spammers try to post messages faster than they can be canceled.
Electronic packet wars with each side trying to out-send the other.

I'm not sure what the issue of spammers vs. anti-spammers has to do with
the general case of smurf attacks.  While I'm sure that some subset of the
smurf attacks that take place may have something to do with this
"conflict", there's no reason to believe that smurf attacks generally have
anything to do with spam-blocks or spam relays.

But you should note that both authors also indicate that (from Cheswick and
Bellovin, page 205): "Computing and electronic communications service
providers are more limited in their right to monitor user activity. Just as
the phone company personnel may not, in general, listen to your calls,
employees of a public electronic mail service may not read your messages,
whether in transit or stored." There will be more detailed information in
our spam policy.

None of the commentary regarding spam blocks being an illegal
"interception" of electronic communication is borne out by recent case law.
Both AOL and CompuServe have won cases that essentialy bear out their right
to block e-mail from certain sources at their discretion.  There are a wide
variet of legal arguments that could be made here, but the current state of
the law seems to bear no resemblance to the picture that Mr. Anderson is
trying to paint above.

Back to the original question posed by Eric Wieling:

Is there any point in trying to report these attacks?  Who would we
report them to?  We don't know what the source is, after all the
address is spoofed.  It seems kind of pointless to notify the victim
-- they already know they have been smurfed.

As others have pointed out, identifying the interface the packets are
coming in from would allow you to start the tracing process.  (Okay,
blatant generalizing now.  I realize there are exceptions...)  However,
based on my experience with the providers we buy transit from, I have a
feeling you wouldn't get much of a response from most of the people you get
on the phone.  There doesn't seem to be much incentive for a NOC to track a
smurf attack that is simply passing through their network, and NOC security
teams seem generally unwilling to spend time on issues that aren't
affecting them.


|Jordyn A. Buchanan                    mailto:jordyn () bestweb net |
|Bestweb Corporation                      http://www.bestweb.net |
|Senior System Administrator                     +1.914.271.4500 |

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]