Router modifications to deal with smurf
Kelly J. Cooper
kcooper at bbnplanet.com
Mon Apr 27 20:12:33 UTC 1998
There is no noise, only signal. There is no signal, only noise.
On Apr 26, 3:35pm, Craig A. Huegen wrote:
*On Sat, 25 Apr 1998, Rusty Zickefoose wrote:
*==> We requests that your routers be configurable, at the interface
*==>level, to prevent the forwarding of an ICMP echo-request packet through an
*==>interface that has a broadcast or wire address that matches the
*==>destination address of that packet. We also request that the default
*==>configurations of your routers be modified to prevent said forwarding.
*This is against RFC 1812.
*RFC 1812, "Requirements for IP Version 4 Routers", Section 5.3.5,
* A router MAY have an option to disable receiving network-prefix-
* directed broadcasts on an interface and MUST have an option to
* disable forwarding network-prefix-directed broadcasts. These options
* MUST default to permit receiving and forwarding network-prefix-
* directed broadcasts.
Yes, well, the fact that most vendors do NOT have a knob to turn this
off is also against RFC 1812 (same paragraph, previous sentence) and
that's a big part of the smurf problem.
*Someone has stated before that editor(s) of said RFC are aware of this and
*have discussed the change in default.
No, jhawk said the editor(s) are "certainly aware" of the fact that
the RFC could use some updating. No one said that they actually are
aware, nor whether anyone is making an effort to update the document.
If anyone originally associated with the document IS in fact working
to change RFC 1812, I'd really like to hear about it. Privately or
publicly. Please feel free to forward this note to the relevant
parties if you know them. I have a keen interest in the topic.
*Note that I'm not arguing that it *should* be the default, I'm just
*arguing that vendors have implemented it this way because that's the way
*they were told to in the RFC. If after reading
*http://www.quadrunner.com/~chuegen/smurf.txt, you think that I believe
*directed-broadcasts should be on by default, go back and read agian. =)
The point is that forwarding directed broadcasts should be off by
default and that:
1. RFC 1812 should be changed to reflect this and
2. Vendors should modify their code to reflect this
Whether these two things happen in parallel or serial is relevant
only inasmuch as the vendor doth protest that they one must come
before the other. They should both occur.
And if a vendor wants to argue that they are in keeping with RFC 1812
by having the forwarding of directed broadcasts on by default BUT
do not have a knob built in to turn it off, then that looks a bit
hypocritical and they open themselves up to all sorts of taunting.
*Now, since this has been beaten past the jelly stage, can we please put
*the topic to sleep? Thank you.
I seriously doubt that this topic is going to die until Smurf attacks
get quite a bit smaller or go out of vogue.
Just to be clear, Rusty asked whether requesting that the various
vendors in the world create a knob to turn off the forwarding of
directed broadcasts combined with requesting that it is configured
off as a default setting would meet with approval by most of the
readers of NANOG, not whether it was feasible or in keeping with
It is a known thing that this type of request doesn't meet the
criteria of the RFC and lots of different folks are hoping that the
RFC will change. I'm wondering whether there's any duplication of
effort to that end (or any effort at all) going on.
Kelly J. Cooper - Internet Security Officer
GTE Internetworking - Powered by BBN - 800-632-7638
150 Cambridge Park Drive Fax - 617-873-5508
Cambridge, MA 02140 http://www.bbn.com
More information about the NANOG