smurf, the MCI-developed tracing tools (was Re: Bogus announcement)
adrian at ourworld.net
Sun Dec 28 23:52:29 UTC 1997
On Sun, 28 Dec 1997, Karl Denninger wrote:
> > are ICMP attacks. If you filter ICMP, then I'll start flooding with
> > spoofed source addresses TCP packets with random sequence numbers and from
> > IPs. What, you're going to ask routers to track all the TCP connections
> > going through them now for validation? Erm, how many CPUs more are we
> > going to need..? :)
> If you did this the trace would be TRIVIAL.
ICMP floods vs TCP floods. Aren't they both IP or have I missed something
> Then, the source network of the problem gets BGP-dropped until they kill the
> source account and/or connection. This reduces smurfing to a ONE TIME
> event, makes prosecution easy (anyone who thinks that such an attack,
> launched on interstate facilities, against any regional or larger ISP isn't
> something the Feds will want to get into is dreaming - its a slam-dunk that
> the limits on damage have been exceeded) and further, raises the bar on
> people who claim that they "can't fix this".
> All you need to do is prevent out-of-bounds traffic from being sent into
> your dedicated and dial equipment, and the problem now becomes trivial
> to solve.
> If it can be EASILY traced, it will stop being done. If you put these
> filters in place, the Smurfer will try to use a forged address and be dismayed
> when *nothing happens*. What's better, he won't KNOW that he's been
> filtered, and if you log the attempts you will know that someone tried and
> failed - which is a perfect reason to cancel their service.
Ok, so I agree with you completely. I thought I had made myself rather
clear in the beginning. Oh well.
I for one will be looking at integrating it into the setup here. Bar
possible router load issues, it is a good idea and means when (and if)
spoof attacks originate from our networks I can happily point to the
client rather easily. :)
More information about the NANOG