Industry CapabilityIndustry CapabilityLINX TraceabilityLINX Traceability

Best Current PracticeBest Current Practice

Keith Mitchellkeith@linx.net

Executive Chairman

London Internet Exchange

ACPO Scotland Internet Awareness Seminar

8th Nov 1999

OverviewOverview

• Background, History, Motivation

• Principles

• IP addresses

• Dial-up users

• Applications

• Domain Name System

LINX ExperiencesLINX Experiences

• LINX is UK national Internet Exchange Point (IXP)

• 5 years old today !

• Brings together and represents88 largest UK/EU ISPs

• Also performs self-regulatory “non-core” activities

Industry CapabilitiesIndustry Capabilities

• Much work originated and motivated by ACPO/ISP/Government forum

• Two important documents

• Industry Capabilities– see www.ispa.org.uk

• Traceability BCP– today’s talk

LINX Non-Core ActivitiesLINX Non-Core Activities

• Content Regulation– Illegal material

• Law Enforcement– Helping investigations

• UBM Regulation– “spam”

• Telecomms Regulation– Oftel

LINX & RegulationLINX & Regulation

• Funding, and policy & management oversight of Internet Watch

• Defines “good practice”, but only mandatory requirements concern IXP

• Becoming involved in network abuse• 3 Best Current Practice documents

published earlier this year:

http://www.linx.net/noncore/bcp/

LINX BCP DocumentsLINX BCP Documents

• Published:– Traceability– Illegal Material– Unsolicited E-mail (UBE = “spam”)

• Planned:– Internet User Privacy– Direct E-mail use

Internet Watch FoundationInternet Watch Foundation

• Voluntary funding from large ISPs directly, and small/medium via associations

• Operates hot-line for reporting illegal material - 0845 600 8844

• Working on content rating schemes (ICRA, INCORE projects)

• http://www.internetwatch.org.uk

Key IWF PrincipleKey IWF Principle

• UK ISPs supporting IWF are not held responsible for illegal content on their systems, provided:– it was placed there by customers– they have no prior knowledge of it – they take appropriate action when

they do learn of it• n.b This is an informal agreement, not

upheld by UK law

TraceabilityTraceability

• Principle of who did what & when on the Internet

• Key element of making individuals responsible for their actions

• Rest of talk outlines contents of LINX “Best Common Practice” document for ISP industry

Uses of TraceabilityUses of Traceability

• Finding out sources of:– Illegal content

(e.g. paedophile material)

– Denial of Service attacks

– Unsolicited Bulk Messaging (“spam”)

– Hacking, fraudulent access

Traceability in PracticeTraceability in Practice• Complete knowledge is 100%

possible in theory

• but practice will fall short of this

• BCP document defines how to make practice closer to theory

• Traceability is currently exception– ideally the norm– legitimate anonymity an exception

Traceability ObstaclesTraceability Obstacles

• Vendor support

• Passing information between ISPs and carriers, e.g.– across national borders– caller id

• Unregistered trial etc accounts

• 3rd party relaying (e-mail)

IP AddressesIP Addresses• All Internet activity has to come

from some IP address– Starting point of any tracing exercise

• Need to map from this through:– domain name system– one or more ISPs– authentication system– public telephone network

• to user

IP Address SpoofingIP Address Spoofing

• Need to ensure traffic is coming from where its source address claims - easy to fake

• Most applications require duplex communication, so spoof abuse scope limited:– Denial of Service attacks– “Single shot” attacks– Session sequence number interpolation

Spoof PreventionSpoof Prevention• Static source address filters:

– between backbone and “edge” routers in ISP’s backbone

– performance impact– hard to scale elsewhere, e.g.

between providers

• Dynamic filters:– per-user per dial-in session

• More info in RFC 2267

Dial-up UsersDial-up Users

• Use of per-session dynamic IP address allocation is efficient

• but makes traceability harder

• User accounts and access numbers common to many dial-in routers

• Need to reliably map from:– (IP address, time) to (user)

Dial-in AuthenticationDial-in Authentication

• RADIUS authentication logs usually have info required, but:– need time synchronisation (NTP)– records can be lost (UDP)– vendor record format variations

• Alternatives include:– syslog, dynamic DNS, finger/telnet,

SNMP

Unregistered UsersUnregistered Users

• e.g.– free trials– “pay as you go” services– public access terminals

• Pose particular traceability problems

• but there are ways to offer these services with safeguards

De-Anonymising UsersDe-Anonymising Users

• Credit card check

• Voice phone call back

• Fax phone call back

• Avoid shared accounts

• Digital certificates

• Caller Id or CLI

Caller Id (CLI)Caller Id (CLI)

• Ideally phone number being used to make modem call passes through telephony carriers and dial-in router to ISP’s logfiles

• Some issues in practice:– carriers– router vendors– users

Caller Id IssuesCaller Id Issues

• Not all carriers present full CLI– regulatory intervention needed ?

• Not all dial-in routers:– accept or log CLI– differentiate withheld vs unavailable

• ISPs who are not carriers get user (possibly modified) CLI rather than network CLI

““Pay as you go” ServicesPay as you go” Services

• e.g. BTclick, FreeServe et al

• Need to be able to:– require and log CLI– block payphone, international,

prepaid calls– maintain frequent abuser phone

number blacklist– identify IP address ranges used for

this

E-Mail TraceabilityE-Mail Traceability

• Very easy to make e-mail untraceable via fake headers

• Default config of many mail servers dumb in this respect

• Some routine precautions can tackle this

• Modern servers which are wise to this are available

E-mail Server ConfigE-mail Server Config• Make sure actual IP addresses are

stamped on headers

• Disable 3rd-party relaying !

• Consider using SMAP, Exim software

• Source filter which IP addresses can connect to SMTP port

• Domain Name verification– valid ?– forward/reverse match ?

USENET News ServersUSENET News Servers

• Always add X-NNTP-Posting-Host: header

• Restrict posting from customer addresses only

• Heavily restrict use of mail2news– Always add X-Mail2news: header

• Importance of synchronised & verified time/date stamping

Domain Name ServersDomain Name Servers

• in-addr address to name mapping critical when tracing

• important to ensure server security

• in theory dynamic DNS update could insert user name into reverse lookup for session duration - hard in practice

User PrivacyUser Privacy

• Laws to protect privacy of ISPs’ customers must be respected– e.g. ECHR, Data Protection Acts, IOCA

• “Big Brother” PR is bad both for business and co-operation

• LINX has set up Internet User Privacy Forum to engage in constructive dialog with activtists

• See http://www.iupf.org.uk

Possible Future WorkPossible Future Work

• Inter-provider issues

• IRC & “chat”

• Corrections, improvements

• Feedback welcome !

ConclusionsConclusions

• You can’t solve the whole problem

• ..but straightforward measures can make a big difference

• Legal protection of legitimate users’ privacy must be addressed

• The industry can take a responsible lead throughco-operation