Mike Hedlund mike at
Mon Dec 8 18:23:50 UTC 1997

On Tue, 9 Dec 1997, Adrian Chadd wrote:

> On Fri, 5 Dec 1997, Wayne Bouchard wrote:
> [snip]
> > threaten the most disruption of internet services. With ISDN and
> > DSL, users have the bandwidth necessary to generate even more
> > dangerous levels of traffic. If you don't think this issue affects
> > you, it does. If you're not a target, your probably being used
> > as a source.
> I agree totally.
> A couple of problems:
> * Filtering ALL ICMP is pretty silly, ICMP is there for more than just
>   pings, and some of it is important.

Sure.. but it wont take a genius on the attackers side to figure out what
types arent being blocked, and use those..

> * If people start doing this, someone with a smidgen of time on their
>   hands will write a ping flooder that uses random TCP or UDP packets
>   with spoofed from addresses.

Well.. the main problem with smurf is that as far as i know, it uses the
reply from a broadcast. that will rule out tcp unless they send a direct
flow from the attackers box to the destination/victims box. For UDP,
you would have to send it to a broadcast, and also hope there is a udp
service listening (ie.. a test program i wrote sent 1 udp broadcast to and received a whole bunch of replies.. turn off small
services on routers would be helpfull.. :)). You could also do that to
any network, the point being.. its easier to disable simple udp services
then to setup filters on border routers..


More information about the NANOG mailing list