smurf, the MCI-developed tracing tools (was Re: Bogus announcement)
karl at mcs.net
Sun Dec 28 18:05:33 UTC 1997
On Sat, Dec 27, 1997 at 11:10:55PM -0500, Ken Leland wrote:
> Karl wrote:
> > However, if a forged-source data stream IS traced to one of your customers,
> > expect a harsh response from the general network community. This attack is
> > well-enough known by now that I consider anyone unable to immediately and
> > permanently deal with such an incident to be somewhere beneath contempt.
> Well, it is going to take more education and pain, apparently.
> I've got 3 national backbones upstream and they all have a hell of a
> time just getting icmp-echo-reply filters in within hours of attack
> onset, and usually get nowhere with tracing this to an end perp.
> Granted, its a difficult, cooperative problem.
> One of the better respected of them, told me that their philosophy
> was to deliver all packets to me regardless of the source/type.
> This corker, is the type of logic one can apparently come up with
> when ones routers at Pensaulken are near fall-over.
> This upstream did install the filter, after escalation, fortunately.
You don't want to filter ICMPs. What you want to filter is ANYTHING which
came from an invalid source address *at your entrance* from your customer
Now, for backbone<>backbone connections, this is impossible - granted.
But for end-user<>backbone connections, it is not only not impossible, it is
virtually a REQUIREMENT.
> a problem where backbones have to choose between expensive filtering of
> ICMP-echo-replies for very long periods of time or allowing customer
> connections to be randomly swamped (rendered useless) for hours by bored
> 13 year olds, from virtually anywhere on the net. The latter is of,
> essentially, zero economic value to us, at least.
> The current cost of per link filtering is apparently causing the
> backbone networks major grief.
That's because people are doing it on the packet TYPE. If you filter on the
source *address*, at the ingres point to your network, it causes much less
> This problem, is disrupting the service of every isp in our region
> on a frequent basis and it is getting worse week by week.
> A, sometimes seen, tendency to suggest that only a few ISP's with problem
> attracting users are affected by this does not recognize the breath or depth
> of the problem, nor where it is heading.
> Ken Leland
> Monmouth Internet
The fix is to deny inbound traffic from any connection which has an invalid
source address. You *KNOW* what the valid addresses are if you connect
someone - if I give someone 188.8.131.52/24, then anything with a source
address outside of that /24 is INVALID by definition and I should refuse
to accept it.
This is NOT difficult to do, nor is it expensive. Until it becomes a
standard part of end-user connections this problem is going to remain
extremely difficult to trace.
Karl Denninger (karl at MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/ | T1's from $600 monthly to FULL DS-3 Service
| NEW! K56Flex support on ALL modems
Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS
Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost
More information about the NANOG