Re: Smurfing

["Steve Hultquist" <ssh () HSAnet net>]

Havard,

--On Friday, February 13, 1998, 11:45 PM +0100 Havard.Eidnes () runit sintef no
wrote: 

> getting Smurfing "under control" takes two things:
>
>  o All router administrators on the immediately reachable
>    Internet needs to turn off directed broadcasts on their router
>    interfaces.

>  o Making sure source IP address spoofing isn't as easily done as
>    it is now.  Also an easy one, right? ;-)

I agree, and this is what we have done. The earlier post (from someone else)
was asking about how to filter *outbound* directed broadcasts, and I didn't
understand how this could be done. A number of my NANOG colleagues have
adamantly agreed that it can't!

>  o While we struggle with the above two, at least some service
>    providers need to become more responsive in tracking these
>    sort of events back to their real source.  No names mentioned,
>    none forgotten.

Agreed. Would it make sense to come up with a cooperative mechanism for this
similar to CERT only faster?

>  o Lastly, I think that better tools are needed to track this
>    sort of attacks back to their source (?).

That would be very difficult, effectively requiring the ability to query
routers and ask if they are seeing packets bound for a specific address. I'd
love to see some tools that would help us do that, however!
--
Steve Hultquist, Chief Technology Officer                       HSAnet
providing high-speed Internet access                 Boulder, Colorado
mailto:ssh () HSAnet net     +1.303.581.0800       http://www.HSAnet.net/