smurf, the MCI-developed tracing tools (was Re: Bogus announcement)

Adrian Chadd adrian at
Sun Dec 28 05:30:35 UTC 1997

Since source address spoofing seems to be the thing, why not bite the
bullet and put filters on from addresses on downstream clients?

It *would* start to blow out the size/complexity of the router
configurations, but if your network is of a decent size you should already
have some router config management tools written :)

But this way, people can only spoof IPs from their own block, and not
random addresses. It would kill smurf attacks, make tracing a tad(?)
easier, etc, etc. And as I've mentioned before, not all types of floods
are ICMP attacks. If you filter ICMP, then I'll start flooding with
spoofed source addresses TCP packets with random sequence numbers and from
IPs. What, you're going to ask routers to track all the TCP connections
going through them now for validation? Erm, how many CPUs more are we
going to need..? :)

I haven't looked at the MCI tools but my opinion is that if people start
putting filters in, you would find the instances of flooding decline. All
that needs to be done now is to discuss the best ways to do it (eg setting
up a filter on a cisco which uses AS path regexps, so you can filter per
interface on what people are announcing to you via BGP. That way, your
downstreams can only send traffic with FROM IPs that they announce, and
anyone who wants to spoof has to be speaking BGP. )


More information about the NANOG mailing list