nanog mailing list archives
Re: SMURF amplifier block list - READ THIS
From: Karl Denninger <karl () Mcs Net>
Date: Wed, 15 Apr 1998 14:22:15 -0500
On Wed, Apr 15, 1998 at 01:04:19PM -0600, Dax Kelson wrote:
This isn't quite as bad as it sounds, because in nearly all cases, the *OUTGOING* bandwidth from the amplification network will be *MUCH* less then the aggregate traffic produced by all the devices on the amplification LAN. So what ends up happening in most cases, is that 20-90Mpbs of traffic slams into the router interface capable of only 1.5/3/6/9Mbps of outgoing traffic. Still, though a modem or ISDN connection being able to summon 1.5-9Mpbs is quite a problem.
Well, most of the real "problem" smurf sites are DS-3 connected or better. The little ones don't bother us.
There has been very little mention of anti-SPOOF measures in this thread which is surprising.
Try to get people to do that.... we have, its pointless.
IP SPOOFing is *THE SOURCE* of all the major problems: SYN-FLOOD TEARDROP and variants SMURF What's Next??? Solutions: Validate all traffic leaving your networks to be sure the IP source is from one of your networks. Everyone from the tier 1 providers on down should write that requirement into all their connection agreements. Further, the fact is that nearly *ALL* such attacks (attacks that use IP-SPOOFing as a requirement) are launched from dial-up connections. If would be relatively easy to have a *DRAMATIC* reduction in attacks if the dialup equipment vendors would release software updates with *DEFAULT* anti-spoof filters applied to dialup connections. Put some pressure on your vendors, nearly all dialup ports are made by either Lucent/Livingston, Ascend, and 3COM/USR. I've been asking Livingston for two years for this feature. Dax Kelson Internet Connect, Inc.
Yeah, well, why not find a way to ram it down UUNET, SPRINT, MCI's, and the rest of the national's throats first? We already do this - its not a perfect filter, but it will only let you transmit packets with sources that COULD possibly come from us. -- -- Karl Denninger (karl () MCS Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost
Current thread:
- Re: SMURF amplifier block list, (continued)
- Re: SMURF amplifier block list Stephen Sprunk (Apr 14)
- Re: SMURF amplifier block list Stephen Sprunk (Apr 14)
- Re: SMURF amplifier block list Karl Denninger (Apr 14)
- Re: SMURF amplifier block list Aaron Beck (Apr 14)
- Re: SMURF amplifier block list Stephen Sprunk (Apr 14)
- Re: SMURF amplifier block list - READ THIS Karl Denninger (Apr 14)
- Message not available
- Re: SMURF amplifier block list - READ THIS Jay R. Ashworth (Apr 14)
- Re: SMURF amplifier block list - READ THIS Mark Milhollan (Apr 14)
- Re: SMURF amplifier block list - READ THIS Michael Dillon (Apr 14)
- Re: SMURF amplifier block list - READ THIS Dax Kelson (Apr 15)
- Re: SMURF amplifier block list - READ THIS Karl Denninger (Apr 15)
- Re: SMURF amplifier block list - READ THIS Pete Ashdown (Apr 15)
- Re: SMURF amplifier block list - READ THIS Karl Denninger (Apr 15)
- Re: SMURF amplifier block list - READ THIS Pete Ashdown (Apr 15)
- Re: SMURF amplifier block list Mark Milhollan (Apr 14)
- Re: SMURF amplifier block list Brandon Ross (Apr 14)
- Re: SMURF amplifier block list Andrew Smith (Apr 14)
- Re: SMURF amplifier block list Pete Ashdown (Apr 15)
- Re: SMURF amplifier block list Joe Shaw (Apr 15)
- Re: SMURF amplifier block list Brandon Ross (Apr 15)
- Message not available
- Re: SMURF amplifier block list Jay R. Ashworth (Apr 14)