Spam propagation

Hi,

I am currently receiving around 180 UDP spam packets per day coming from

24.64.x.x sending to ports 1026 - 1028. This has been going on for over 1 month now. When I contacted Shaw Communications, Canada about them their response was that the packets were most likely spoofed and then ignored them.

This got me thinking about how spoofed packets are propagated.

I would expect that packets with a sending address in the 24.64.x.x range could only enter the network via one of the Shaw servers. An attempt to insert the packet elsewhere should result in the sending address not meeting the IP address range for that ISP and being rejected.

If the sending address was from within the ISPs IP address range then if the ISPs then checked the sending address on the packet against a list of registered users and rejected all packets that weren't in the list then the amount of spam would be reduced markedly.

If the sending address matched an address in the list then if the ISP also checked that the session password matched the one on the list for that ISP there would be a further reduction.

As the packets move along the path to the recipient there should be checks that the packet is being delivered by the appropriate upstream ISP, or ISPs, with the correct password otherwise the packet should be rejected and a bounce message sent to the sender.

Does this make sense?

I don't expect that this is how things work as it would require the ISPs to carry out a considerable amount of processing when handling the packets and I doubt that they would want to do that.

Reply to
JC
Loading thread data ...

What exactly are "UDP spam packets" supposed to be? And why are you concerend about 180 packets per freakin' DAY in the first place?

[...]

Why?

Why?

Which RFC would require a router to check the source address of a packet before passing it on?

No.

Did you ever take a closer look at a (fishing) net? Did it look like a tree to you? Well, the Internet has been named "Internet" instead of "Intertree" for a reason.

Well, that's a relief. Because they don't.

"Considerable amount" as in "would kill any router existing".

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

It's called messenger spam. It is a result of microsoft inventing a service that UNIX had abandoned several years earlier due to abuse.

Likely - look at the TTL field in the headers, as well as the source port number.

UDP does not require a response. It can be a "one-way" protocol.

You seem to think the the ISP where these packets originate actually cares. You are wrong.

[snip remainder of uninformed guesses]

No.

  1. Fix your windoze box to ignore messenger service. Instructions to do this have been available from microsoft for at least 5 years.

  1. At your "firewall" (what-ever that may be) drop ALL incoming UDP destined to ports 1025 - 1030. (The only legitimate service using UDP is DNS [Internet name service] and NTP [Network Time Service] and these should only be getting _replies_ to specific packets you have sent out to well know IP addresses. DO NOT SET YOUR FIREWALL TO REJECT - SET IT TO "IGNORE" OR "DROP" to avoid wasting further bandwidth by sending rejects to the spoofed source address.

  2. Scream at your own ISP, about the wasted bandwidth. A mere 180 packets a day per IP address (last time I bothered to look at home, I was seeing well over 1000 such packets a day) is only about 40 kb per address. Whether you ISP has enough addresses to where that amount of waste is important is for them to decide.

For further thoughts, read RFC2827 (and the related RFC3704) which you can find using your favorite search engine.

Old guy

Reply to
Moe Trin

I gather from 59cobalt and Moe that the internet does not operate as outlined below. From memory, that is how the old BBS system worked and it didn't suffer from spam as much as the internet does.

I understand that the internet is arranged as a net to cover for node failures. That model was developed in the cold war era so that the net would possibly survive a nuclear strike or war. That situation does not apply today and maybe we should re-think the model.

Perhaps the internet system should be changed to the model outlined below or something similar. That way the spam would effectively cease to be an issue as the offending ISP could be told to fix the problem or be cut off from the internet until it is fixed.

I have a hardware firewall that is dropping over 300 unsolicited packets each day. The 180 that I mentioned are only those coming from Shaw's

24.64.x.x IP address range. Only 1 year ago the total number being dropped was around 100.

Because they are dropped by the firewall I am not affected by the spam pop-ups etc but the net surely is and elimination of the spam would help the net function better than it does now.

JC

Reply to
JC

"the old BBS system" meaning... If you are referring to FIDO, where stuff was transferred amongst BBSs by dialup, you are comparing a (more-or-less) manual system to today's very much automated system. The BBS operator was much more likely to see what was in the messages he was sharing. However that also took a LOT more time to propagate from one end of the country to another, never mind around the world. Also, the systems were much smaller. A directory listing of a then popular NASA BBS site (from July 1991) had 2882 files totalling

120.42 Megabytes. A current listing of the files in /pub/linux/ at a 'sunsite' mirror (Linux is a popular UNIX clone operating system, and 'sunsite' is the popular name of a repository of UNIX software) has 104828 files, totalling 10.90 Gigabytes. As for spam itself, the Internet didn't have much of a spam problem in the early days either. It really didn't appear until the privatization of the backbones (the old NSF backbone prohibited all commercial activities).

The nuclear strike may not apply, but node-failures and link failures are quite common. Last year, several major (fiber) links along the California coast failed (mud-slides), and this caused some rather bizarre routings until the revised routes propagated. The Internet didn't go down, but I still recall seeing route traces from Phoenix (about 600 KM East of Los Angeles) to San Francisco via Los Angeles, San Diego, Dallas, St. Louis, Denver, and Portland Oregon. If you're not familiar with those names, grab a map of the USA and look at it. They are all large cities. There have been similar failures in other parts of the world - I've heard of at least two under-sea cables being damaged by fishing trawlers, as well as mud-slides in the North island of New Zealand.

You may find it useful to review RFC1118, RFC1127, and RFC1180 for additional thoughts on the way the Internet it used.

The newsgroup you want to scan is 'news.admin.net-abuse.policy' which is a low volume moderated group showing concepts for Usenet.

I don't keep logs of how much is dropped. As mentioned, last time I bothered to look, I was running around 1000 messenger spams a day. For what it's worth, I also have dialup access, and had seen similar rates there. I was able to convince the ISP to filter off the UDP at his single upstream connection, because his link was small (guessing, a 5-6 MB connection) and the UDP crap was a significant percentage of that link. My broadband provider is quite unresponsive to similar requests.

You've been lucky.

Yes, but given the current volume of such packets compared to the volume of id10ts downloading their pr0n (in 2400 x 1920 x 24 bit color) or even the normal crap of eighty jillion ads on every web page, it may not be significant enough. Still, screaming at your own ISP to drop the crap might be a good idea.

Old guy

Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.