Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement)

[Karl Denninger <karl () mcs net>]

On Sat, Dec 27, 1997 at 05:54:08PM -0500, Dorian R. Kim wrote:
> On Sat, Dec 27, 1997 at 03:25:11PM -0700, Darin Wayrynen wrote:
> > I had to modify code to parse the password file.  I did not try to
> > determine if this was because I wasn't using the recommended
> > hardware/software platform, or because the tool was created to work
> > with a MCI specific environment.
>
> While I can't comment on this specific problem, MCI's dostracker doesn't
> work if you are running DCEF. This makes dostracker useless in many
> networks.
>
> -dorian

Then you damn well better not be permitting any of the following:

1)      Forged source addresses (this CAN be stopped with specific filters
        on your interfaces, although some will bitch about the performance
        impact - depending on their specific choices)
2)      Directed broadcasts (which are used to "create" these DOS attacks by
        bouncing the attack off a particularly-well-connected location,
        USUALLY a provider's internal infrastructure).

Block both of those and Smurfs would disappear.  If you can trace the TRUE
source of such an attack quickly, people will go to jail for this.  The only
reason they are popular is because the source addresses CAN be forged.

THIS CAN BE PREVENTED.

--
-- 
Karl Denninger (karl () MCS Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/          | T1's from $600 monthly to FULL DS-3 Service
                             | NEW! K56Flex support on ALL modems
Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS
Fax:   [+1 312 803-4929]     | *SPAMBLOCK* Technology now included at no cost