Actions to quiet the Smurf amplifiers?

Phil Howard phil at whistler.intur.net
Mon Oct 19 19:19:00 UTC 1998


Dan Hollis replied:

> On Mon, 19 Oct 1998, Phil Howard wrote:
> > Dan Hollis wrote:
> > > The last site I dealt with took _3 weeks_ to close their amplifiers once
> > > they were notified. And this was a multimillion dollar publishing company.
> > Wow, you sure get them to act quickly!  How did you manage to get a big
> > monstrous behemoth like "corporate america" to move that fast?  :-)
> 
> They did nothing for two weeks, then their upstream threatened to pull
> their connection.
> 
> If there were only some way to blackhole smurf amplifier routes
> globally... sigh.

There is.

The method involves a software design change in the routers.  For each
arriving packet, in addition to doing a routing lookup based on the
destination, also do a routing lookup based on the source address.
If the interface the packet arrived on is NOT in the list of addresses
that routing back to the source suggests, then discard the packet.
That will drop the majority of packets before they even read smurf
amplifiers, as they are generally forge-sourced to the ultimate target
of the attack.  The first router hop with this implemented where the
source address is invalid will stop the attack.  The core backbone
probably does not need to have this enabled, but all the leafs from it
should to ensure no forged sources can get through.

I have access list filters in place that block all sources from other
than my network space.  I also block all incoming to *.*.*.255.  There
should be no smurf originations or amplications in my network (except
non-forged from within, which we can deal with anyway, e.g. cancel,
fire, prosecute, etc.).

-- 
 --    *-----------------------------*      Phil Howard KA9WGN       *    --
  --   | Inturnet, Inc.              | Director of Internet Services |   --
   --  | Business Internet Solutions |       eng at intur.net        |  --
    -- *-----------------------------*      philh at intur.net       * --



More information about the NANOG mailing list