Re: Internet SYN Flooding, spoofing attacks

    Date:        Mon, 14 Feb 2000 00:37:29 -0500
    From:        "Donald E. Eastlake 3rd" 
<dee3(_at_)torque(_dot_)pothole(_dot_)com>
    Message-ID:  
<200002140537(_dot_)AAA15795(_at_)torque(_dot_)pothole(_dot_)com>

  | I think that making egress filtering a BCP, applying community
  | pressure, bringing law suites, etc., will be about as effective
  | at eliminating forged source address packets on the Internet as
  | similar measures have been in eliminating open SMTP relays...
  | 
  | They help, but not much.

I'm not sure there is a good analogy there.    There's no good purpose
in sending packets with incorrect source addresses I can think of, and
stopping the practice is the basic intent of the filters.  The only
justification for not doing it is cost - and then just just becomes a
part of the cost benefit analysis - will it cost us more or less to
implement this?

On the other hand, SMTP relays are not a problem anyone cares about of
themselves - just the contrary in fact, smtp relaying can be a very useful
function to have available (eg: you're travelling with your laptop
and have a bunch of mail waiting to go - you get a connection for a
few minutes between flights, but your normal home relay is unreachable
right now - being able to pick some other friendly relay and simply park
your mail on it can be a real advantage).   The thing to be fixed there
is the unwanted spam that is also using the services of the relay, that
is, it isn't the relay that is really the issue, it is the spam, if all
the spam went away, so-one would care about relays any more (other than now
to regret that whereas previously most sites would be happy to relay mail
now far fewer are).

Further, it isn't at all clear that preventing relaying will do much,
if anything, to stop spam - certainly blocking receiving mail from relays
will currently cut the amount of spam you receive a lot - but that's
because comparatively few people do that, and so the spammers are content
to ignore them and just continue making use of the relay services that
they can latch onto.   But should everyone stop relaying, does anyone really
believe that all the spammers are simply going to decide that there is
no point continuing, and all just go away?   Really?   Even if it means
that the spammers have to send all their mail directly, they'll do it
as long as the benefit from sending spam (at least appears to) outweigh
the costs.

So, the two issues are really not much alike - in one there's no good
purpose to be served by not blocking outgoing packets with bogus source
addresses, in the other there are lots of philosphical reasons for
not stopping relaying - hence there are some of us quite willing to do one
but not the other.

Spam is a social problem, and needs to be solved by social/legal means,
not technical ones (there is no technical difference between spam and
any other mailing list mail - it all looks the same - the only difference
is whether the recipient wanted to receive it or not.)  But we're
technocraats, all our tools are technical ones, so it is easy to see
how we grasp at any technical solution we think might help - the only
technical solution we've been able to find that seems like it might help
(a passing illusion really).  Unfortunately, the appearance of a technical
solution reduces the pressure on the social/legal types to come up with
a solution that really works - if we all would just admit that technically
there's nothing that can really be done ablut spam, and simply stopped
trying at all (allow it all through) the user pressure to get this
problem solved some other way would be much much greater...   On the other
hand, sending packets with an incorrect source address is a technical
problem - those packets don't meet the IP specs - what is supposed to be
in that field is the IP address of the sending node.   This is a problem
entirely open to a technical solution.

kre