smurf, the MCI-developed tracing tools (was Re: Bogus announcement)

Adrian Chadd adrian at
Mon Dec 29 00:47:02 UTC 1997

On Sun, 28 Dec 1997, Bradley Reynolds wrote:

> > Huh?
> > ICMP floods vs TCP floods. Aren't they both IP or have I missed something
> > glaringly obvious.
> >  
> Yes, both are independent of the network layer protocol which
> operates beneath them (which in this case is IP)
> The difference is that you can filter icmp seperately from tcp
> to give you some sort of granularity with your acl policy.  This
> is important in that if you deny icmp traffic to a specific segment
> of your network (or in from your serial interface for the
> whole thing) you are still vulnerable to the publicized attacks
> which exploit vulnerabilities inherent in TCP.  

Or just a straight out 'lets spew packet' floods.
> The whole point for this discussion was that you should be
> a responsible network administrator and understand the trouble
> you could cause the people you are connected to.  Once you understand
> that, you can take use the facilities that your vendor provides
> to limit the damage so to speak.  


I thought it was also just on generic spoofing/flooding and their impact
on *EVERYONE*. Disabling icmp broadcasts on the router interfaces is fine,
but later on someone will come up with something new, take advantage of
(mis)configurations of networks, start blowing people's connections away,
blah, blah, blah.

I for one am for the access lists on interfaces to stop DOWNstreams
abusing your network to flood others. Even if its just transit (no packet
blooms like in smurf). Quite a bit of the current internet infrastructure
is based upon trusting everyone who is connected to the network. And I for
one certainly dont trust everyone on the network. Tightening up on things
like this now would save a lot of pain and hassles later on.


More information about the NANOG mailing list