smurf, the MCI-developed tracing tools (was Re: Bogus announcement)

Karl Denninger karl at mcs.net
Sun Dec 28 18:05:33 UTC 1997


On Sat, Dec 27, 1997 at 11:10:55PM -0500, Ken Leland wrote:
> Karl wrote:
> > However, if a forged-source data stream IS traced to one of your customers,
> > expect a harsh response from the general network community.  This attack is
> > well-enough known by now that I consider anyone unable to immediately and
> > permanently deal with such an incident to be somewhere beneath contempt.
> > 
> 
> Well, it is going to take more education and pain, apparently.
> I've got 3 national backbones upstream and they all have a hell of a
> time just getting icmp-echo-reply  filters in within hours of attack
> onset, and usually get nowhere with tracing this to an end perp.
> Granted, its a difficult, cooperative problem.
> 
> One of the better respected of them, told me that their philosophy
> was to deliver all packets to me regardless of the source/type.
> This corker, is the type of logic one can apparently come up with
> when ones routers at Pensaulken are near fall-over. 
> This upstream did install the filter, after escalation, fortunately.

You don't want to filter ICMPs.  What you want to filter is ANYTHING which
came from an invalid source address *at your entrance* from your customer
connections.

Now, for backbone<>backbone connections, this is impossible - granted.

But for end-user<>backbone connections, it is not only not impossible, it is
virtually a REQUIREMENT.

> a problem where backbones have to choose between expensive filtering of
> ICMP-echo-replies for very long periods of time or allowing customer 
> connections to be randomly swamped (rendered useless) for hours by bored 
> 13 year olds, from virtually anywhere on the net.  The latter is of, 
> essentially, zero economic value to us, at least.  

Well, yes.

> The current cost of per link filtering is apparently causing the
> backbone networks major grief. 

That's because people are doing it on the packet TYPE.  If you filter on the
source *address*, at the ingres point to your network, it causes much less
pain.

> This problem, is disrupting the service of every isp in our region
> on a frequent basis and it is getting worse week by week.

Yes.

> A, sometimes seen, tendency to suggest that only a few ISP's with problem 
> attracting users are affected by this does not recognize the breath or depth
> of the problem, nor where it is heading.
> 
> Ken Leland
> Monmouth Internet

Correct.  

The fix is to deny inbound traffic from any connection which has an invalid
source address.  You *KNOW* what the valid addresses are if you connect
someone - if I give someone 205.164.6.0/24, then anything with a source
address outside of that /24 is INVALID by definition and I should refuse 
to accept it.

This is NOT difficult to do, nor is it expensive.  Until it becomes a
standard part of end-user connections this problem is going to remain
extremely difficult to trace.

--
-- 
Karl Denninger (karl at MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/          | T1's from $600 monthly to FULL DS-3 Service
			     | NEW! K56Flex support on ALL modems
Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS
Fax:   [+1 312 803-4929]     | *SPAMBLOCK* Technology now included at no cost



More information about the NANOG mailing list