Re: Solution: Re: Huge smurf attack

[danderson () lycos com]

I'm not sure what the big issue here is with the smurf attacks. If you set
up some kind of access list that disables incoming icmp traffic, then turn
directed broadcasts off on the interfaces, that's it. In most cases, you
can't even get a packet into my AS unless its bound for dns machines or our
website frontends. For those of you using Cisco gear, a simple 'no ip
directed broadcast' in the interface subset will turn them off. In my mind,
this takes care of all but two scenarios:

1. Your smurf attack is coming from someone within your organization, doing
a broadcast while directly connected to the network. In this case, you
should be able to get their ip address just by a snoop (at least on a sun
box) and then you may processed to visit the offender with the
clue-by-four. I once had someone who though that was a good way to
inventory the machines on a network.

2. You are using some vendor who doesn't support any way of turning off
directed broadcasts. From a statistics point of view, since Cisco has 87.5%
of the market, most people won't find this to be a problem. I understand
that only certain code revisions carry this ability on Bay gear (I want to
say 11 or higher, but I could be wrong and I can't remember the code
train). If you've got Torrent or something else, I don't' know but its a
safe bet that if the feature isn't supported at all (doesn't matter if it
is a default or not) this isn't equipment you want in your AS. Speaking
from my standpoint, I sure wouldn't use it.

Devin Anderson
Network Engineer
Lycos, Inc.





Brandon Ross <bross () mindspring net> on 01/12/99 02:05:02 AM

To:   nanog () merit edu
cc:    (bcc: Devin Anderson/Lycos)
Subject:  Re: Solution: Re: Huge smurf attack




On Mon, 11 Jan 1999, Daniel Senie wrote:
> The proper answer to this is to disable directed broadcasts on the
> routers themselves. It'd be helpful if routers came out of the box with
> this feature disabled by default. Perhaps folks should talk with their
> router vendors of choice and ask for this change. I have submitted a
> draft into the IETF process to require this change, updating RFC 1812
> (router requirements).
I'm happy to say that progress is being made in this area.  When a vendor
comes to us for the first time, one of things I tell them is that we will
not buy their hardware until they ship with directed broadcast disabled by
default.  We've had a lot of success in this area, we'd have even more if
others would do the same.
Brandon Ross            Network Engineering     404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc.  info () mindspring com
                                                            ICQ:  2269442
Stop Smurf attacks!  Configure your router interfaces to block directed
broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.