nanog mailing list archives
Re: Actions to quiet the Smurf amplifiers?
From: Phil Howard <phil () whistler intur net>
Date: Mon, 19 Oct 1998 14:19:00 -0500 (CDT)
Dan Hollis replied:
On Mon, 19 Oct 1998, Phil Howard wrote:Dan Hollis wrote:The last site I dealt with took _3 weeks_ to close their amplifiers once they were notified. And this was a multimillion dollar publishing company.Wow, you sure get them to act quickly! How did you manage to get a big monstrous behemoth like "corporate america" to move that fast? :-)They did nothing for two weeks, then their upstream threatened to pull their connection. If there were only some way to blackhole smurf amplifier routes globally... sigh.
There is. The method involves a software design change in the routers. For each arriving packet, in addition to doing a routing lookup based on the destination, also do a routing lookup based on the source address. If the interface the packet arrived on is NOT in the list of addresses that routing back to the source suggests, then discard the packet. That will drop the majority of packets before they even read smurf amplifiers, as they are generally forge-sourced to the ultimate target of the attack. The first router hop with this implemented where the source address is invalid will stop the attack. The core backbone probably does not need to have this enabled, but all the leafs from it should to ensure no forged sources can get through. I have access list filters in place that block all sources from other than my network space. I also block all incoming to *.*.*.255. There should be no smurf originations or amplications in my network (except non-forged from within, which we can deal with anyway, e.g. cancel, fire, prosecute, etc.). -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
Current thread:
- Actions to quiet the Smurf amplifiers? Havard . Eidnes (Oct 17)
- Re: Actions to quiet the Smurf amplifiers? Mikael Abrahamsson (Oct 17)
- Re: Actions to quiet the Smurf amplifiers? Dan Hollis (Oct 19)
- Re: Actions to quiet the Smurf amplifiers? Phil Howard (Oct 19)
- Re: Actions to quiet the Smurf amplifiers? Dan Hollis (Oct 19)
- Re: Actions to quiet the Smurf amplifiers? Phil Howard (Oct 19)
- Re: Actions to quiet the Smurf amplifiers? Roeland M.J. Meyer (Oct 19)
- Re: Actions to quiet the Smurf amplifiers? Jon Lewis (Oct 19)
- Re: Actions to quiet the Smurf amplifiers? Dalvenjah FoxFire (Oct 19)
- Re: Actions to quiet the Smurf amplifiers? Phil Howard (Oct 19)
- <Possible follow-ups>
- Re: Actions to quiet the Smurf amplifiers? Brian Dickson (Oct 19)
- Re: Actions to quiet the Smurf amplifiers? Danny McPherson (Oct 19)
- Re: Actions to quiet the Smurf amplifiers? Phil Howard (Oct 19)
- Re: Actions to quiet the Smurf amplifiers? Phil Howard (Oct 21)
- Re: Actions to quiet the Smurf amplifiers? Hui-Hui Hu (Oct 21)
- Re: Actions to quiet the Smurf amplifiers? Erik E. Fair (Oct 21)
- Re: Actions to quiet the Smurf amplifiers? Phil Howard (Oct 21)
- Re: Actions to quiet the Smurf amplifiers? Hui-Hui Hu (Oct 21)