spare swamp space?
bross at mindspring.net
Wed Aug 19 07:18:23 UTC 1998
I'm currently working on a project to help reduce the impact of smurf
attacks on our IRC server. Part of the plan requires a /24 of swamp
space. Since I'm sure ARIN wouldn't even consider assigning anything out
of the swamp or anything that small, I'm wondering if any of you might
have one that you're not using and would consider transferring to me.
Since I'm sure questions will arise, and this is operational related, I'll
share the plan. Most smurf attacks we receive are directed at our IRC
server (imagine that). We offer IRC service to both our customers and the
outside world. Our customers are not only on our network, but also on
several other wholesale dialup providers. To minimise the impact of a
smurf attack against our IRC server we will split the server off into 2
servers, one for the outside world and one for our customers only. The
public server will be connected via a T1 to a smurf tracing friendly
transit provider for external connectivity. This T1 will be used for this
purpose only and not be part of the rest of our infrastructure (which is
made up mostly of T3's to transit providers for our external
connectivity). The public server will use an address assigned by the
upstream. There will be a private network connection over Ethernet
between the public and private servers. The private server will be
connected to the rest of our infrastructure and will use an address out of
swamp space. This swamp space will only be advertised to our wholesale
dialup providers on a private peering setup so only machines attached to
these providers will be able to reach the private irc server.
So how does this work? Well, the typical attacker will launch his smurf
attack against irc.mindspring.com. irc.mindspring.com resolves to an
address within that swamp space I discussed. When the echo-reply from a
far off network without "no ip directed-broadcast" gets sent, it has
nowhere to go because their upstream doesn't have a route for it.
So what happens if they attack the public server? The public server,
since it's separated from the rest of our network will at least not effect
our customers, only people connected to our public irc server from the
So why don't you just use private IP space? That would require that we
and our wholesale providers agree on a private block to use for this
purpose. Even if this can be done, if/when we add another wholesaler,
who's to say if they will agree to that space as well?
Well, you could use NAT between private space in your network and your
wholesalers, you say?. I'm trying to keep this as simple and inexpensive
as possible. While I'm sure NAT would work fine, I'd like to avoid it if
So, any takers?
Brandon Ross Network Engineering 404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc. info at mindspring.com
Stop Smurf attacks! Configure your router interfaces to block directed
broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.
More information about the NANOG