A solution for DDOS packet flooding attacks

This article summarizes a proposed solution to thwart DDOS attacks on the internet based on PEIP (Path Enhanced IP), an extension to the IP protocol.

On Friday, October 21, 2016, a major DDOS attack crippled access to major Web sites, including Amazon and Netflix.

PEIP and Fair Service are proposals by Don Cohen that may have been able to mitigate this attack. PEIP extends the IP protocol (the Internet Protocol, the basis of the internet) to provide information that allows determining the router-to-router path of packets sent over the internet. Currently, when an IP packet is received by a router, there is no information stored with the packet to indicate the sequence of routers the packet traversed on its way to the destination (DDOS target). This enables hackers to get away with setting up zombie processes on a multitude of hosts that send packets to attack a destination IP address by forging the source address and simply flooding the destination with those packets. Since the IP packets that arrive at the target host do not contain information about the actual sequence of routers that the packet traversed on its way to the targeted host and since the source IP address is forged, it is very difficult to determine which packets are real and which ones are part of the attack.

PEIP and Fair Service could be a game changer if adopted by enough ISPs and router manufacturers. Using PEIP, it becomes possible to determine, for each packet arriving at a target host being attacked, what path of routers was used to deliver the packet. It then becomes possible to thwart DDOS attacks not by denying packets but, rather, by ONLY allowing each incoming path of routers to receive their “fair share” of service. I.e., rather than attempting to figure out which packets are attack packets, which is not possible due to forged source IP addresses, instead, the solution is to allow in the forged packets but ONLY GIVE THEM A SMALL PERCENTAGE OF THE ALLOWED TRAFFIC ARRIVING AT THE TARGETED HOST. The idea is that packets arriving via routing paths that are not compromised by the attack will receive service. The attacking path still receives service but only a small fraction and no more than all of the uncompromised paths, rendering the DDOS attack ineffective in most cases. Hence the term Fair Service to describe this approach to DDOS mitigation.

Fair Service and PEIP are have been implemented in test networks and are described in detail in A Fair Service Approach to Defending Against Packet Flooding Attacks and Changing IP
to Eliminate Source Forgery
(proposals dates back to 2001).

I know Don Cohen and K. Narayanswamy personally and vouch for the veracity of what is claimed and documented in this paper. DDOS is a sufficiently important problem that an infrastructure-wide solution such as PEIP and Fair Service should be considered by Cisco and other router manufacturers and ISPs as a way to greatly lessen the threat of DDOS. Don and Swamy contacted Cisco (and some ISPs) over ten years ago to make them aware of this solution to the DDOS problem but, among other things, Cisco did not want to modify its routers, which would be necessary to properly implement PEIP. The recent DDOS attack of October 21, 2016 is a reminder that we still need to improve the infrastructure (if not via PEIP then in some way) in order to properly deal with DDOS. Don Cohen would still be happy to hear from Cisco, other router manufacturers and major ISPs to answer any questions they have as to why PEIP and Fair Service is a viable approach to mitigating DDOS attacks. Contacts: Don Cohen <don@isis.cs3-inc.com> and K. Narayanaswamy <swamy@cs3-inc.com>.

Dennis G. Allard
Santa Monica
October 22, 2016

Stolen passwords? Not to worry. Advice about passwords.

The recent theft of a billion user names and passwords by Russian hackers is nothing to worry about as long as you understand a few simple facts and rules.

KNX News Radio Los Angeles (CBS) would have you believe pundits who sell password generator software and other nonsense. KNX is either misreporting or missing the story. They should instead be interviewing qualified representatives at Bank of America, VISA, ETrade and other financial institutions to ask them if passwords can be stolen. The answer is that passwords cannot be stolen because those institutions do not store them.

Sites such as your bank or stock brokerage do not, I repeat, do not, store your password. So no one can steal your password from your bank. What is stored is an encrypted value that is based on your password. That encrypted value could be stolen but, by itself, is useless for logging in. In other words, there is no file at your bank or other reputable financial institution that contains your password so there is nothing to steal.

How, then, is it possible for you to login using your password? The answer is that logging in works by encrypting your password and comparing the result to the stored encrypted value. If they match you get to login, if not your login attempt fails.

The beauty of this scheme, used in UNIX systems since 1969, is that the process is not reversible. Someone could publish the encrypted value on a bill board and that would still not help a hacker login. Only you know your password. The hacker would still have to effectively guess your password in order to get logged in by your bank site.

Don’t store your password on your computer nor in one of those stupid password “vaults” or password generators. Instead, memorize your password. It’s OK to write it down on a piece of paper you tuck away some place.

You should pick a good password that is easy for you to remember but hard to guess. Make it at least 8 or 10 characters long and be something that is not words in a dictionary. One trick I use is to think of a sentence then use the first letter of each word of the sentence as my password. For example “Only you know your password. Don’t store it in a file” would become: oykypdsiiaf. That password is actually fairly easy to type. The phrases I use make my passwords (I have a few) even easier to type. I use phrases about people and things I like so my phrases are almost like rhymes and easy to remember. Mine have more than 10 characters. I usually include a special character (such as a colon or asterisk) although some web sites stupidly refuse to allow special characters.

For sites that are not important (most sites) use a different password than your main passwords you use for important sites. It’s OK to use the same password for all the unimportant sites. I only have about three or four passwords, about three really secure ones (longish, hard to guess) and just one that is shorter and easy to remember that I use for ALL of the sites I just don’t care about that much if someone were to get in.

I hardly ever change my passwords since they are secure to begin with. But when and if I do, I just modify say the first three words of the phrase so it’s easy for me to remember the new password, it being similar to the old one.

There does remain a couple of things to know about as to how hackers can manage to steal passwords and how you can remain confident that you are secure.

One way hackers can steal passwords is by setting up a man-in-the-middle attack that is able to intercept communication between you and your bank. Thankfully, modern protocols use SSL (the same “S”, for “Secure”, as in the little “HTTPS://” prefix you sometimes see in your browser address bar). As long as you communicate with reputable institutions, all login communication is done using SSL which has been engineered to thwart man-in-the-middle attacks. If you ever see a message from your browser that warns you that the Security Certificate of the site you are logging to has not been authenticated, that means you should not connect to that site.

There is also the thorny issue of keystroke snooping. If a hacker can manage to take control of your computer or of the server into which you are logging in (or think you are logging in) at a level where your keystrokes can be recorded, then Houston we have a problem. Such deep attacks are rare but possible. The best way to feel confident one has not been attacked at that level is to keep your computers and devices updated with the latest security updates for your OS and only do important financial transactions with reputable web sites. Personally, I don’t use Norton or McAfee crap. Those things just waste CPU in my view. Instead, I keep my systems up-to-date, I use good passwords as outlined above, and I store important information on reputable sites.

As for LifeLock, see: Amazon not-so-good reviews about LifeLock

Dennis Allard
Santa Monica
August 6, 2014

Chemtrails are really just Contrails

One of the many bogus conspiracy theories speaks of so-called chemtrails.

Chemtrails are actually contrails. Contrails (condensation trails) are water vapor caused by both jet engine exhaust and the Bernoulli effect around a plane’s wings as air is rapidly decompressed and cooled, causing water to condense (due to the laws of Thermodynamics having to do with pressure and temperature). Basically, contrails are man-made clouds (water vapor only) and they are often quite beautiful. It is a pity that some people are naive and ignorant about the true nature of this phenomenon. They are living their lives in needless fear instead of marveling at what is a beautiful thing created by a combination of technology and nature. Contrails are created by a plane moving through the atmosphere under the right atmospheric conditions. You will tend to notice them on days where there are already cirrus clouds being formed due to the same atmospheric conditions but it is possible to see them on clear days if the amount of water in the air at high altitude is just right.

There are two ways contrails form. One is from jet engine exhaust that contains water. Have you ever noticed water dripping from an automobile exhaust on a cold day? Same thing. Warm air holds more water than cold air. As air cools, the evaporated water in the air will condense. (That is one of the reasons that rain is more likely as night falls and the atmosphere cools.) One of the byproducts of combustion engines, including jet engines, is water in the exhaust. As the exhaust leaves the jet engine, it cools so the water in the exhaust will condense into water vapor (a cloud). On some days at some altitudes, that exhaust water is fully absorbed by the atmosphere. On other days, it takes a while to be absorbed so the contrail stays visible for a short period of time. On yet other days, the conditions are such that the water vapor forms into man-made clouds. The same logic applies to natural clouds. Some days clouds appear and others they don’t appear, depending on pressure and temperature of the atmosphere.

The other way contrails form is caused by fluctuations in air pressure around the wings of the airplane. Have you ever released air from a bicycle tire by pressing on the valve and noticed that the air released is very cold and sometimes causes moisture to condense on the valve? Same thing. When a plane wing moves through the air at 500 miles per hour it impacts the air it is moving through. The air is compressed then decompressed, which under the right conditions of moisture content in the air can cause that moisture to condense into contrails.

Contrails are explained in more detail in the Wikipedia article on Contrails.

I put gathered a small collection of links to videos that debunk Chemtrails. These videos are all fairly short and to the point. And of some entertainment value.

There is one popular chemtrail conspiracy video that was proven to be a hoax because the pilot who made the original video later admitted it was a hoax. See: Contrail Science

Dennis Allard
Santa Monica
October 17, 2013

How to block calls on your iPhone

It is now easy to block unwanted phone calls to your iPhone if you have iOS 7.

When an incoming call arrives from a number you do not wish to receive calls from in the future, hang up, go to your Phone Recents list, select the number you wish to block by pressing the little “i” icon, then scroll down and select “Block this Caller”.

That’s all there is to it.

Dennis Allard
Santa Monica
October 20, 2013

How to watch TV without Time Warner

Time Warner and CBS, two gargantuans of television, are bickering with the result that a few million people are not able to view CBS via Time Warner Cable. I somehow feel this is all part of the ongoing reconcentration of wealth into the hands of fewer segments of society. Just my gut feel. Whatever the ultimate reason, those few million people are denied seeing the channel 9 news and other favorites that are defacto part of our social fabric in spite of being owned by the corporatcracy. In short, since these are not truly public institutions, we don’t get to decide how they are managed. The corporates do. The “Free” Market decides.

LA Times clip on Time Warner vs. CBS - 2013-08-03

It’s not like TV in the United States has not always mostly been privately owned (even though airways are in principle a public resource). We used to have commercial-free public television. In days gone by. The Libertarian Fundamentalists long ago convinced too many that government is bad (implication, corporations are good) and that how dare “they” (the government, elected by you and me), i.e., us, use tax dollars to fund quality programming.

The good news is that, at least so far, there is still freely available channels, including CBS, thanks to the good old rabbit ear antenna.

All modern digital HD TVs can view channel 2, 4, 5, 7, 9, 11, 13, 28, 34, etc here in Los Angeles. Without cable TV. For no charge. You just hook an antenna up to your TV using the coax connection.

I took a vacation from cable TV in recent years but recently subscribed to Verizon FIOS so I could watch the Dodgers, another defacto part of public society but, now, unlike before, NOT available most days on public air waves. Actually the real reason I subscribed to FIOS is that I work on the Internet so need high speed internet and Verizon almost gives away FIOS TV once you have FIOS internet. Ironically, I changed to FIOS internet away from Time Warner Cable Internet and am so happy to have done so. Time Warner simply did not know how to keep a router up 24×7 (it was more like 23.9 x 7) and that got real old real fast. FIOS for me has been operating for two straight years without any outage (maybe one short outage). I guess that’s a plug for Verizon FIOS (a trade name and color scheme I dislike but a technology I love that should be available to everyone as a public utility).

Let me repeat the good news about how to bypass Time Warner Cable to watch channels 2, 7, 9, 28 (KCET) etc. all in HD (High Definition) without paying a cent for a cable TV subscription…

You use a rabbit ear antenna. I would recommend setting up a long wire and moving the antenna to the attic or the roof. I did that and the HD reception of all the above channels is outstanding. I think it’s even better than what comes in on cable.

Once you do this, you might even conclude that spending $80 per month for cable (that’s about a $1000 per year), isn’t worth it. You can can still listen to the Dodgers on radio when they are not televised on the public air waves. They still haven’t figured out how to force us to pay money to listen to radio. Not yet.

Dennis Allard
Santa Monica,
August 7, 2013

Why Twitter is popular and what I dislike about that

This article talks about Twitter but the points made here apply equally to Facebook.

There are two reasons Twitter took off like it did.  First, it fills a desire in the culture for ubiquitous notifications from everyone to everyone.  Second, it did so in a way that is immediately accessible and easy to use for anyone with a web browser.  I.e., real time simple peer-to-peer notifications that are both created and accessed via existing ubiquitous technology.

Twitter lets people create notifications and “follow” other peoples notifications.  And, it does that via the Web by letting people both write and view notifications in a browser.  It can’t get any simpler than that, can it?

Hence, a simple idea (real time notifications) combined with providing that via existing tools that everyone already has on their computers and cell phones.

Why do I say I don’t like that?  It’s not that I don’t like the idea.  And I commend the authors of Twitter for making the starkly simple realization that all this was both desired and so easily provided.  They will become very rich because of that realization combined with what I don’t like about the situation.  That is, the mechanism for providing Tweets is proprietary.

Although the mechanisms for writing and following Tweets are standards-based (standard message protocol, HTTP, and HTML basically), the creators of Twitter co-opted the concept of notifications by providing the mechanism via a branded web server.  And therein lies the rub.  Although web clients are free and ubiquitous, web servers are not.  Web servers and domain names are owned.  By co-opting the concept of ubiquitous notifications via a proprietary web server, Twitter has enriched a few people who happened to think of the idea first.  It’s not always this way.  For example, the Web itself, which arguably underpins all things Twitter-like, was developed by socialized programs (called science, academic research, and just plain good engineering) done by governments and government-funded research.  (One of many arguments I make that government is not bad as the Libertarian Fundamentalists like to believe).

Facebook is another example.  It is hard to make a Web site so Facebook made it easy.  A subject to another day, but you get the point.

Are there alternatives to these proprietary mechanisms?  Yes.  For example, RSS feeds provide a mechanism very similar to Tweets.  In fact, RSS feeds provide a richer mechanism.  And, RSS feeds are also built in or can be built in to browsers,although they are not anywhere near as accessible as Tweets.  Why?  The problem is that there is no central place to find all RSS feeds and there is no ubiquitous easily accessible place to write and distribute RSS feeds.  Generalizing slightly, we live in a culture where identity and mind share is still proprietary.  There is no standard freely available centralized place to create content for the Web.  Now, Google and others provide a central place to search for identity, but not to create it.  And Google itself is proprietary.  Think about it.  All Web servers are owned.  There is a reason for that.  Unlike the client (the web browser), the server (the web server) has to have lots and lots of memory.  Real memory.  And processors, lots of processors.  And that all costs money.

There are solutions.  We could distribute the notion of identity across a pool of volunteers who would provide resources for a large distributed server.  It would be public, non-proprietary, secure, and ultimately scalable to any size needed.  Alternatively, one or more governments could provide the central server.  In one of these ways, we would be able to provide a server side of the equation in a way that scales, does not require advertising or other revenue, is a shared resource, and achieves everything that the Twitters and Facebooks of the world achieve.  It would be a large non-proprietary sand box where equal numbers of ideas are tried out and what wins is, just as now, based on popularity and viral acquisition of mind share.

I am sure my idea is not new and has bugs.  But I wanted to get this off my mind.