Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement)

[Karl Denninger <karl () mcs net>]

On Sun, Dec 28, 1997 at 04:30:35PM +1100, Adrian Chadd wrote:
> Since source address spoofing seems to be the thing, why not bite the
> bullet and put filters on from addresses on downstream clients?
>
> It *would* start to blow out the size/complexity of the router
> configurations, but if your network is of a decent size you should already
> have some router config management tools written :)
>
> But this way, people can only spoof IPs from their own block, and not
> random addresses. It would kill smurf attacks, make tracing a tad(?)
> easier, etc, etc. And as I've mentioned before, not all types of floods
> are ICMP attacks. If you filter ICMP, then I'll start flooding with
> spoofed source addresses TCP packets with random sequence numbers and from
> IPs. What, you're going to ask routers to track all the TCP connections
> going through them now for validation? Erm, how many CPUs more are we
> going to need..? :)

If you did this the trace would be TRIVIAL. 

Then, the source network of the problem gets BGP-dropped until they kill the
source account and/or connection.  This reduces smurfing to a ONE TIME
event, makes prosecution easy (anyone who thinks that such an attack,
launched on interstate facilities, against any regional or larger ISP isn't
something the Feds will want to get into is dreaming - its a slam-dunk that
the limits on damage have been exceeded) and further, raises the bar on 
people who claim that they "can't fix this".

> I haven't looked at the MCI tools but my opinion is that if people start
> putting filters in, you would find the instances of flooding decline. All
> that needs to be done now is to discuss the best ways to do it (eg setting
> up a filter on a cisco which uses AS path regexps, so you can filter per
> interface on what people are announcing to you via BGP. That way, your
> downstreams can only send traffic with FROM IPs that they announce, and
> anyone who wants to spoof has to be speaking BGP. )
>
> Adrian

All you need to do is prevent out-of-bounds traffic from being sent into
your dedicated and dial equipment, and the problem now becomes trivial 
to solve.

If it can be EASILY traced, it will stop being done.  If you put these
filters in place, the Smurfer will try to use a forged address and be dismayed
when *nothing happens*.  What's better, he won't KNOW that he's been
filtered, and if you log the attempts you will know that someone tried and
failed - which is a perfect reason to cancel their service.

--
-- 
Karl Denninger (karl () MCS Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/          | T1's from $600 monthly to FULL DS-3 Service
                             | NEW! K56Flex support on ALL modems
Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS
Fax:   [+1 312 803-4929]     | *SPAMBLOCK* Technology now included at no cost