Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement)

[Adrian Chadd <adrian () ourworld net>]

On Sun, 28 Dec 1997, Karl Denninger wrote:

> > are ICMP attacks. If you filter ICMP, then I'll start flooding with
> > spoofed source addresses TCP packets with random sequence numbers and from
> > IPs. What, you're going to ask routers to track all the TCP connections
> > going through them now for validation? Erm, how many CPUs more are we
> > going to need..? :)
>
> If you did this the trace would be TRIVIAL. 

Huh?
ICMP floods vs TCP floods. Aren't they both IP or have I missed something
glaringly obvious.
 
> Then, the source network of the problem gets BGP-dropped until they kill the
> source account and/or connection.  This reduces smurfing to a ONE TIME
> event, makes prosecution easy (anyone who thinks that such an attack,
> launched on interstate facilities, against any regional or larger ISP isn't
> something the Feds will want to get into is dreaming - its a slam-dunk that
> the limits on damage have been exceeded) and further, raises the bar on 
> people who claim that they "can't fix this".

Yep.
 
> All you need to do is prevent out-of-bounds traffic from being sent into
> your dedicated and dial equipment, and the problem now becomes trivial 
> to solve.

Yep.
 
> If it can be EASILY traced, it will stop being done.  If you put these
> filters in place, the Smurfer will try to use a forged address and be dismayed
> when *nothing happens*.  What's better, he won't KNOW that he's been
> filtered, and if you log the attempts you will know that someone tried and
> failed - which is a perfect reason to cancel their service.

Yep.

Ok, so I agree with you completely. I thought I had made myself rather
clear in the beginning. Oh well.

I for one will be looking at integrating it into the setup here. Bar
possible router load issues, it is a good idea and means when (and if)
spoof attacks originate from our networks I can happily point to the
client rather easily. :)

adrian