View
217
Download
2
Tags:
Embed Size (px)
Citation preview
Traceability - LINXTraceability - LINXBest Current PracticeBest Current Practice
Keith [email protected]
Executive Chairman, London Internet Exchange
UBM Conference, London 8th Sep 1998
OverviewOverview
• Background, History, Motivation
• Principles
• IP addresses
• Dial-up users
• Applications
• DNS
LINX ExperiencesLINX Experiences
• LINX is UK national Internet Exchange Point (IXP)
• Represents 55 largest UK/EU ISPs
• 4 “non-core” activities include:– Content Regulation– UBM (“spam”) Regulation
LINX & RegulationLINX & Regulation• Funding, and policy & management
oversight of IWF• Defines “good practice” (BCP), but only
mandatory requirements concern IXP• Becoming involved in network abuse
– UBM, resource theft
• Traceability BCP has been work in progress for over a year– 8 authors so far– nearly finished !
Internet Watch FoundationInternet Watch Foundation
• Voluntary funding from large ISPs directly, and small/medium via associations
• Operates hot-line for reporting illegal material - 0845 600 8844
• Working on content rating schemes (INCORE project, ICRA)
• http://www.internetwatch.org.uk
Key IWF PrincipleKey IWF Principle
• UK ISPs supporting IWF are not held responsible for illegal content on their systems, provided:– it was placed there by customers– they have no prior knowledge of it – they take appropriate action when
they do learn of it• n.b This is an informal agreement, not
upheld by UK law
TraceabilityTraceability
• Principle of who did what & when on the Internet
• Key element of making individuals responsible for their actions
• Rest of talk outlines contents of LINX “Best Common Practice” draft document for ISP industry
Uses of TraceabilityUses of Traceability
• Finding out sources of:– Illegal content
(e.g. paedophile material)
– Denial of Service attacks
– Unsolicited Bulk Messaging (“spam”)
– Hacking, fraudulent access
Traceability in PracticeTraceability in Practice• Complete knowledge is 100%
possible in theory
• but practice will fall short of this
• BCP document will define how to make practice closer to theory
• Traceability is currently exception– ideally the norm– legitimate anonymity an exception
Traceability ObstaclesTraceability Obstacles
• Vendor support
• Passing information between ISPs and carriers, e.g.– across national borders– caller id
• Unregistered trial etc accounts
• 3rd party relaying (e-mail)
IP AddressesIP Addresses• All Internet activity has to come
from some IP address– Starting point of any tracing exercise
• Need to map from this through:– domain name system– one or more ISPs– authentication system– PSTN
• to user
IP Address SpoofingIP Address Spoofing
• Need to ensure traffic is coming from where its source address claims - easy to fake
• Most applications require duplex communication, so spoof abuse scope limited:– Denial of Service attacks– “Single shot” attacks– TCP sequence number interpolation
Spoof PreventionSpoof Prevention• Static packet filters:
– between backbone and “edge” routers in ISP’s backbone
– performance impact– hard to scale elsewhere, e.g.
between providers
• Dynamic filters:– per-user per dial-in session
• More info in RFC 2267
Dial-up UsersDial-up Users
• Use of per-session dynamic IP address allocation is efficient
• but makes traceability harder
• User accounts and access numbers common to many dial-in routers
• Need to reliably map from:– (IP address, time) to (user)
Dial-in AuthenticationDial-in Authentication
• RADIUS authentication logs usually have info required, but:– need time synchronisation (NTP)– records can be lost (UDP)– vendor record format variations
• Alternatives include:– syslog, dynamic DNS, finger/telnet,
SNMP
Unregistered UsersUnregistered Users
• e.g.– free trials– “pay as you go” services– public access terminals
• Pose particular traceability problems
• but there are ways to offer these services with safeguards
De-Anonymising UsersDe-Anonymising Users
• Credit card check
• Voice phone call back
• Fax phone call back
• Avoid shared accounts
• Digital certificates
• Caller Id or CLI
Caller Id (CLI)Caller Id (CLI)
• Ideally phone number being used to make modem call passes through PSTN carriers and dial-in router to ISP’s logfiles
• Some issues in practice:– carriers– router vendors– users
Caller Id IssuesCaller Id Issues
• Not all carriers present full CLI– regulatory intervention needed ?
• Not all dial-in routers:– accept or log CLI– differentiate withheld vs unavailable
• ISPs who are not carriers get user (possibly modified) CLI rather than network CLI
““Pay as you go” ServicesPay as you go” Services
• e.g. BTclick, FreeServe, C&W
• Need to be able to:– require and log CLI– block payphone, international,
prepaid calls– maintain frequent abuser phone
number blacklist– identify IP address ranges used for
this
E-Mail TraceabilityE-Mail Traceability
• Very easy to make e-mail untraceable via fake headers
• Default config of many MTAs dumb in this respect
• Some routine precautions can tackle this
• Modern MTAs which are wise to this are available
E-mail MTA ConfigE-mail MTA Config• Make sure actual IP addresses are
stamped on headers
• Disable 3rd-party relaying !
• Consider using SMAP, Exim MTAs
• Source filter which IP addresses can connect to SMTP port
• DNS verification– valid ?– forward/reverse match ?
USENET News ServersUSENET News Servers
• Always add X-NNTP-Posting-Host: header
• Restrict posting from customer addresses only
• Heavily restrict use of mail2news– Always add X-Mail2news: header
• Importance of synchronised & verified time/date stamping
Domain Name ServersDomain Name Servers
• in-addr address to name mapping critical when tracing
• important to ensure server security
• in theory dynamic DNS update could insert user name into reverse lookup for session duration - hard in practice
BCP StatusBCP Status
• Currently in final draft form
• Limited distribution for consultation to interested parties
• Contributions still welcome !
• Full publication end Nov– via http://www.linx.net
Work to be doneWork to be done• New Sections:
– Logging– Inter-provider issues– IRC & “chat”
• More details on:– Domain name service– IP spoofing, filtering– “pay as you go” services
• Corrections, improvements