smurf, the MCI-developed tracing tools (was Re: Bogus announcement)

Ken Leland kwl at
Sun Dec 28 04:10:55 UTC 1997

Karl wrote:
> However, if a forged-source data stream IS traced to one of your customers,
> expect a harsh response from the general network community.  This attack is
> well-enough known by now that I consider anyone unable to immediately and
> permanently deal with such an incident to be somewhere beneath contempt.

Well, it is going to take more education and pain, apparently.
I've got 3 national backbones upstream and they all have a hell of a
time just getting icmp-echo-reply  filters in within hours of attack
onset, and usually get nowhere with tracing this to an end perp.
Granted, its a difficult, cooperative problem.

One of the better respected of them, told me that their philosophy
was to deliver all packets to me regardless of the source/type.
This corker, is the type of logic one can apparently come up with
when ones routers at Pensaulken are near fall-over. 
This upstream did install the filter, after escalation, fortunately.

Until Cisco, et al, improves routers to the point where there is 
low cost icmp rate-limiting (or some other better solution) we will have 
a problem where backbones have to choose between expensive filtering of
ICMP-echo-replies for very long periods of time or allowing customer 
connections to be randomly swamped (rendered useless) for hours by bored 
13 year olds, from virtually anywhere on the net.  The latter is of, 
essentially, zero economic value to us, at least.  

The current cost of per link filtering is apparently causing the
backbone networks major grief. It is the only current, practical solution,
as far as I can see, and yet they will do it very reluctantly because
of the cpu impact. The will to trace this attack seems to be declining also,
from my observation, as the sucess rate continues to be very poor 
(less than 5 percent by one upstream account, I doubt my other
upstreams are even this organized).

We need to get router fixes in place urgently, or bite the
bullet on increased costs all around for expensive filters for long periods
in current routers, with consequently more routers required.
Backbone security teams should be reinforced as they appear to be losing 
their spirit.

This problem, is disrupting the service of every isp in our region
on a frequent basis and it is getting worse week by week.

A, sometimes seen, tendency to suggest that only a few ISP's with problem 
attracting users are affected by this does not recognize the breath or depth
of the problem, nor where it is heading.

Ken Leland
Monmouth Internet

More information about the NANOG mailing list