smurf, the MCI-developed tracing tools

Karl Denninger karl at
Mon Dec 29 14:19:02 UTC 1997

On Sun, Dec 28, 1997 at 09:17:28PM -0700, Dax Kelson wrote:
> > Adrian wrote:
> > > But this way, people can only spoof IPs from their own block, and not
> > > random addresses. It would kill smurf attacks, make tracing a tad(?)
> > > easier, etc, etc. And as I've mentioned before, not all types of floods
> > > are ICMP attacks. If you filter ICMP, then I'll start flooding with
> > > spoofed source addresses TCP packets with random sequence numbers and from
> > > IPs. What, you're going to ask routers to track all the TCP connections
> > > going through them now for validation? Erm, how many CPUs more are we
> > > going to need..? :)
> Something else that needs to be done is we need DEFAULT anti-spoof filters
> on all dialin boxes such as those made by Livingston, Ascend, USR, etc.
> When a customer calls in and gets assigned an IP address the box should
> automatically apply an anti-spoof filter to that port dropping any
> packets with an IP source different than the one assigned.
> Of course you need a way to overide that for customers who have networks
> routed to them.  The box could the RADIUS "Framed-Route" entry as a hint
> to which networks to forward IPs from. 
> I've had an RFE in with Livingston for over a year to get that added to
> ComOS.
> Dax Kelson
> Internet Connect, Inc.

Actually, if you have a "Framed-Route" entry, that's all you need.

I'll talk to Livingston about this.  They, uh, listen to our "suggestions";
we're a rather large user of their products.  :-)

Karl Denninger (karl at MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin          | T1's from $600 monthly to FULL DS-3 Service
			     | NEW! K56Flex support on ALL modems
Fax:   [+1 312 803-4929]     | *SPAMBLOCK* Technology now included at no cost

More information about the NANOG mailing list