nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: smurf, the MCI-developed tracing tools

From: Dax Kelson <dkelson () inconnect com>
Date: Sun, 28 Dec 1997 21:17:28 -0700 (MST)


Adrian wrote:

But this way, people can only spoof IPs from their own block, and not
random addresses. It would kill smurf attacks, make tracing a tad(?)
easier, etc, etc. And as I've mentioned before, not all types of floods
are ICMP attacks. If you filter ICMP, then I'll start flooding with
spoofed source addresses TCP packets with random sequence numbers and from
IPs. What, you're going to ask routers to track all the TCP connections
going through them now for validation? Erm, how many CPUs more are we
going to need..? :)


Something else that needs to be done is we need DEFAULT anti-spoof filters
on all dialin boxes such as those made by Livingston, Ascend, USR, etc.

When a customer calls in and gets assigned an IP address the box should
automatically apply an anti-spoof filter to that port dropping any
packets with an IP source different than the one assigned.

Of course you need a way to overide that for customers who have networks
routed to them.  The box could the RADIUS "Framed-Route" entry as a hint
to which networks to forward IPs from. 

I've had an RFE in with Livingston for over a year to get that added to
ComOS.

Dax Kelson
Internet Connect, Inc.
Previous By Date Next
Previous By Thread Next

Current thread: