x
Optical/IP

Deliver Us From Evil Bits

One year after an Internet Engineering Task Force (IETF) document established the flagging of "evil" packets, bad stuff continues to worm its way around the net. Despite a clear definition, it appears the Evil Bit remains ignored by many.

The Evil Bit, specified by Request for Comments (RFC) 3514, is a flag in the IPv4 header that can determine the intentions of a particular packet. Like a concerned father quizzing his daughter's dates, the Evil Bit could stop problems at the door.

The Evil Bit works according to a complex algorithm:

Table 1: Evil Bit: Format
Value of "E" Result
0
Nice
1
Evil


Developed by AT&T Corp. (NYSE: T) research fellow Steven Bellovin, the Evil Bit debuted one year ago today, so programmers have had plenty of time to incorporate it.

Astoundingly, worms, viruses, and denial of service attacks -- many with clear evil intent -- have failed to adhere to RFC 3514. "There are lots of unmarked but evil packets floating around the net. We clearly need more enforcement activity to stop such non-compliant behavior," Bellovin writes in an email to Light Reading.

An author of the book Firewalls and Internet Security: Repelling the Wily Hacker, Bellovin has a background in security that qualified him to draft the Evil Bit.

"I'd been using it as a throw-away line for years, in my lectures on firewalls," he writes. "I'd say, 'If we knew which packets were evil, we could discard them very easily; since we don't know that, we have to use port numbers, etc.' Then I became one of the Security Area directors, which meant that I was reading lots of [IETF] drafts, and absorbing the proper style. After that, all I needed was time."

Several observers have drawn parallels to David Waitzman's RFC 1149 for transmission by carrier pigeon. They're not unrelated, Bellovin notes: "Well, pigeon output is almost always evil." Bellovin hasn't tracked RFC 3514's popularity among evildoers ("I'm not in close contact with the Evil community," he writes). But he's gotten some disturbingly earnest queries about implementation, including this one from a Microsoft security engineer:
    What or who determines the "evilness" or "goodness" of the packet? If a security admin or OS can determine or flag bits as good, what keeps the hacker from spoofing this process by setting the bit to "good"? Does the bit change based on behavior? Or maybe a database with signatures of "bad" bits?
Bellovin's response to the question is unknown, but there's a chance no one would have thought of spoofing the Evil Bit until this guy brought it up. Nice going, Mr. Helpful.

When it comes to only partially evil messages, such as decade-old jokes still making the rounds, help is on the way. IPv6, with its larger header, would fit a 128-bit Evil flag, allowing for gradations of evil. It's feasible that a future RFC would define levels such as "sort of evil," "really, really evil," or (for emails) "evil, but urgent."

But even after IPv6, more work remains. The advent of all-optical switching would create problems with the Evil Bit, since traffic would be able to bypass routers. Thus, Bellovin's RFC notes the industry may need ways to detect evil wavelengths or evil polarization. Will Evil never rest?

— Craig Matsumoto, Senior Editor, Light Reading
Page 1 / 2   >   >>
Sisyphus 12/5/2012 | 2:08:23 AM
re: Deliver Us From Evil Bits
I am writing a business plan around the notion of a Packet Exorciser system, and firmly expect to raise capital by tomorrow evening if this topic gains steam. :-)

We have a patented algorithm that will make packets with the evil bit set barf up the possessed bits in the payload. You need at least one in every network perimeter.
null0 12/5/2012 | 2:08:20 AM
re: Deliver Us From Evil Bits Could this evil bit be used to detect packets from the new Omniscience Protocol.

Apparently it's going to be a phone home agent for the the likes of the RIAA etc and will inform on all that download music via P2P.

This is scary and evil.

Null0
RGreg 12/5/2012 | 2:08:15 AM
re: Deliver Us From Evil Bits I believe that Dr. BellovinG«÷s implementation of the evil bit algorithm is over-simplified in that it lacks a correcting factor. This correcting factor comes from the well-known fact that lunar cycles play a role in human behavior. During the total darkness of a new moon more crimes are committed than otherwise, whereas during full moons otherwise rational people do unnatural things (giving us the derivation of the term lunacy).

The effect of this factor is that for a period of a few days every month that evil bit becomes REALLY evil.

The mathematical expression takes the Heaviside step function H and multiplies it by e^r, where r is the rate at which the moon changes phase. A further additive factor is derived from Pm, the power of reflected light from the moon incident upon a unit surface S. The total factor is therefore defined as

H*e^r + Pm*S.

But this is only a preliminary derivation, and the author invites any suggestions to refining this analysis.

------
RGreg
RGreg 12/5/2012 | 2:08:14 AM
re: Deliver Us From Evil Bits I believe that Dr. BellovinG«÷s implementation of the evil bit algorithm is over-simplified in that it lacks a correcting factor. This correcting factor comes from the well-known fact that lunar cycles play a role in human behavior. During the total darkness of a new moon more crimes are committed than otherwise, whereas during full moons otherwise rational people do unnatural things (giving us the derivation of the term lunacy).

The effect of this factor is that for a period of a few days every month that evil bit becomes REALLY evil.

The mathematical expression takes the Heaviside step function H and multiplies it by e^r, where r is the rate at which the moon changes phase. A further additive factor is derived from Pm, the power of reflected light from the moon incident upon a unit surface S. The total factor is therefore defined as

H*e^r + Pm*S.

But this is only a preliminary derivation, and the author invites any suggestions to refining this analysis.

------
RGreg
fgoldstein 12/5/2012 | 2:08:13 AM
re: Deliver Us From Evil Bits The problem is like spam detection. Since spam doesn't come labeled, a program has to detect it and set a spam flag. Likewise with the evil bit. This is obviously a task for a daemon to set on passing packets; it's especially well suited to the BSD daemon. It's a friendly daemon, but it knows the way of the underworld and how to detect evil.
probably 12/5/2012 | 2:08:12 AM
re: Deliver Us From Evil Bits "Thus, Bellovin's RFC notes the industry may need ways to detect evil wavelengths or evil polarization."

How would this evil detection be compatible with quantum communication?

I fear that evil could manifest itself as good (like a jelly doughnut) or good as evil (like Britney Spears trying to be raunchy).

I need an old priest and a young priest.
technonerd 12/5/2012 | 2:08:06 AM
re: Deliver Us From Evil Bits What we need is a mechanism to redirect bits flagged as Evil to some alternate form of transport.
Funny you should mention this, because a whole lot of the IP-based equipment looks at all seven layers of the stack, which in theory allows segregation of evil bits.
H_ngm_N 12/5/2012 | 2:08:06 AM
re: Deliver Us From Evil Bits What we need is a mechanism to redirect bits flagged as Evil to some alternate form of transport.

I forward the notion of implementing a global network based on RFC 1149. Specifications can be found at http://www.ietf.org/rfc/rfc114...

By redirecting packets in this manner, preferably as close to the origination point as possible, networks can opt to allow or deny these evil packets by placing a feline aviary interface at the ingress of all their networks.

What's nice about this method is that all the evil packet streams leave a clearly visible audit trail.

= K
H_ngm_N 12/5/2012 | 2:08:05 AM
re: Deliver Us From Evil Bits Now I think you are just making stuff up.

= K
chopps 12/5/2012 | 2:08:04 AM
re: Deliver Us From Evil Bits Since the Evil bit hasn't been used to-date, clearly someone should define a serial protocol using it so that someone else can create MPLS or IP over Evil Bit Protocol.

Chris.
Page 1 / 2   >   >>
HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE