[nycbug-talk] U.N. agency eyes curbs on Internet anonymity

Miles Nordin carton at Ivy.NET
Mon Sep 15 15:12:52 EDT 2008 

>>>>> "gr" == George Rosamond <george at ceetonetechnology.com> writes:

    gr> 1.  Is the problem with DDOSs really tied to anonymity?

One thing which makes the problem worse is the possibility of
single-homed ``lowly'' connections putting garbage into the <source
IP> field of their IP packets.  If ISP's prevented this (uRPF), the
<source IP> field might be more useful in filtering DDoS.  But it is
really ``might''---it depends on how the attacks evolve.

uRPF is sort of like DKIM (only more imperfect).  Binding physical
connections to assigned <source IP>'s makes possible other
imagineable-but-far-fetched schemes of stopping DDoS forever (or, more
likely, schemes of keeping your site partially available, maybe
available to Scheme Participants only, during a DDoS).

The schemes don't exist yet, and source IP spoofing might not be
common DDoS tactic now (not sure, haven't been DDoSed in a while).
But many imagineable schemes would fail once attackers noticed the
scheme and started spoofing source IP's again.  uRPF is step 1 in a
lot of imaginary schemes.

right now we have a bit of short-sighted circular logic: 

 1. why bother with uRPF when DDoS works without spoofing?  It won't
    fix anything.  The botnets are just too big to filter by hand.

 2. why bother with this complicated automated DDoS protection scheme
    that could protect unpopular publishers who can't afford
    $TONS_OF_BANDWIDTH when it'll never work without uRPF anyway?

 3. goto 1

 4.  did you notice you were in an endless loop?  Great.  Welcome!
     From now on, act wise and jaded, and just blame the victim.  it's
     easier and cheaper.

No, uRPF doesn't harm anonymity, because it's not possible to receive
traffic at a forged <source IP> anyway.  You can't communicate with
it, just bombard people with traffic from it.  It's already possible
to track down the _recipient_ of a packet, just not the sender, and
people posting anti-government comments on blogs can receive as well
as send.

If these guys are talking about more tracking than we already have for
the <destination IP>, well then I'm completely against it!  It would
be useless and evil.

but what really harms anonymity is AUP's that forbid wireless sharing,
and the nefarious scheme Verizon successfully used for locking down a
bunch of households: they mailed out those free wireless routers with
WEP pre-configured, and instructions making it sound like you were
``supposed'' to install it.  the free AP's must have been a fucking
bargain compared to all the new lines they sold.  but I think wireless
is a practical way for large numbers of casual dissidents to become
anonymous, at least in the US.  some kind of legal liability scheme
squashing this forever would be terrible for free speech.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20080915/2188f612/attachment.bin>

More information about the talk mailing list