nanog mailing list archives
Re: Solution: Re: Huge smurf attack
From: Dalvenjah FoxFire <dalvenjah () DAL NET>
Date: Tue, 12 Jan 1999 09:46:34 -0800
On Tue, Jan 12, 1999 at 11:39:17AM -0500, danderson () lycos com put this into my mailbox:
I'm not sure what the big issue here is with the smurf attacks. If you set up some kind of access list that disables incoming icmp traffic, then turn directed broadcasts off on the interfaces, that's it. In most cases, you can't even get a packet into my AS unless its bound for dns machines or our website frontends. For those of you using Cisco gear, a simple 'no ip directed broadcast' in the interface subset will turn them off. In my mind, this takes care of all but two scenarios:
Unfortunately, things aren't quite that easy. You can't filter on your side unless you have ATM links up the wazoo; the smurf still occupies your incoming link. And many ISPs (uplinks) don't want to add filters on their side, because of load on the router or something similar. Even if that were the case, smurf attacks are getting so powerful that even a large ISP is getting to be affected. A 200Mb+ smurf can take out, or at least seriously hamper activity at the POPs of even large ISPs. I agree that something like Cisco's CAR and blocking ICMP would help. But when smurfer-wankerboy finds that he can't take out your network with a small 15Mb smurf, he'll just find 10 of his skriptkiddie friends and get them to join him, and take out your uplink with a 150-200Mb smurf. Filtering on the victim side is unfortunately not the answer. Fixing the broadcast addresses, unfortunately, is. -dalvenjah -- Dalvenjah FoxFire (aka Sven Nielsen) "Hanging is too good for a man who makes Founder, the DALnet IRC Network puns; he should be drawn and quoted." e-mail: dalvenjah () dal net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
Current thread:
- Re: Solution: Re: Huge smurf attack danderson (Jan 12)
- Re: Solution: Re: Huge smurf attack Dalvenjah FoxFire (Jan 12)
- Re: Solution: Re: Huge smurf attack Steve Gibbard (Jan 12)
- Re: Solution: Re: Huge smurf attack Craig A. Huegen (Jan 12)
- <Possible follow-ups>
- Re: Solution: Re: Huge smurf attack Dean Anderson (Jan 12)
- Re: Solution: Re: Huge smurf attack Dan Hollis (Jan 12)
- Re: Solution: Re: Huge smurf attack Brandon Ross (Jan 12)
- Re: Solution: Re: Huge smurf attack Phil Howard (Jan 13)
- Re: Solution: Re: Huge smurf attack Alex P. Rudnev (Jan 13)
- Re: Solution: Re: Huge smurf attack Brandon Ross (Jan 13)
- Re: Solution: Re: Huge smurf attack Dan Hollis (Jan 13)
- Message not available
- Re: Solution: Re: Huge smurf attack Peter Swedock (Jan 14)