Filtering ICMP (Was Re: SMURF amplifier block list)

Mark Whitis whitis at
Sat Apr 25 03:23:10 UTC 1998

On Thu, 23 Apr 1998, Jason Lixfeld wrote:

> Then how do you propose to effectively block smurf coming IN?  You are
> totally asking for it if you need to rely on your upstreams to protect
> you.  I agree with you.  If we all deny ICMP, yeah it will fuck up the
> Internet -- Good.  I hope we all suffer.  Maybe then people will

Go back to the message that started the original thread.

The people you adversely affect by your actions will be totally innocent
victims.  If, on the othere hand, you block the networks which
are amplifying the smurf you will affect those orginizations who
are guilty of contributory negligence and their employees/customers.

1) installing a router under your control on the upstream end of
your uplink is a good idea if you want to minimize the load on
your upstream end (this may result in two routers directly

2) install your detection software to detect attacks, and
semi-automatically (with approval from your 24 hour NOC staff)
configures the countermeasures (below)

2) Filter out everything to/from the offending amplifier networks (not
just icmp) on your upstream router (if you have it, downstream otherwise),
except http: (if you can implement the next countermeasure)

3) If you have the capability (you can do this with a linux box
and probably a *BSD box as well), redirect http traffic to the
amplifier network or from the amplifier network to your "access
denied" "web server" which simply responds to all http: queries
with a temporary redirect to a non-cacheable page which explains why
access was denied and gives
the contact email and phone number for the offending networks NOC
(possibly automatically extracted from whois).

4) when the amplifier network blocks the smurf and traces it to
the originating network (and sends you the trace), unblock them
and block the originating network (or the next negligent network).

5) unblock the originating network when they terminate the
offending partie and install filters to prevent recurrence.

Announce any blocks.  At the moment, nanog might be the most
appropriate forum.

This isn't the cheapest solution but it would be far more
effective at stamping out smurf.  And the tools used
put you in a much better situation to deal with similar
attacks.  If you don't have the resources to do this, get
your upstream to do this;  if you don't have an upstream,
then there is little excuse for your network not having the
resources to deal with stuff like this.

On a separate but related matter, I have thrown together a web page which
details many common ISP/network administrator mistakes which cause others
lots of grief, including the kinds discussed in these threads
If you have additions, particularly those, which are:
  - pervasive mistakes, or
  - not necessarily obvious
send me email off list.  Links to relevent or similar pages are

---  Mark Whitis <whitis at>     WWW: ---
---  428-B Moseley Drive; Charlottesville, VA 22903        804-962-4268 ---

More information about the NANOG mailing list