Huge smurf attack
Alex P. Rudnev
alex at Relcom.EU.net
Mon Jan 11 18:55:17 UTC 1999
The only way to prevent most of such attacks is to have STRICT
RESTRICTION for frauding SRC addresses over most of ISP.
While most ISP (including the greatest scientific and education networks)
does allow any their user to sent packets with foreint SRC address, no
any chance to stop this kind of computing hooliganian. Fortunately (!)
for now it's not more than children's games, but what's if
someone try to use it as a weapon... the result can be terrible.
What's about this strange 10.xxx addresses - it can be (1) frauded
addresses (I don't think so), and (2) someone have their non-public
network working in the global address space (withouth external routing
for INCOMING packets but with the possibility to send packets).
The other way (not too good one but the only while there is not strict
filtering policy) to prevent this is to have some kind of stamping
allowing to backtrack frauded packets over the ISP.
On Mon, 11 Jan 1999, Dalvenjah FoxFire wrote:
> Date: Mon, 11 Jan 1999 10:13:51 -0800
> From: Dalvenjah FoxFire <dalvenjah at DAL.NET>
> To: Jeremiah Kristal <jeremiah at fs.IConNet.NET>
> Cc: Phil Howard <phil at whistler.intur.net>, bross at mindspring.net,
> nanog at merit.edu
> Subject: Re: Huge smurf attack
> On Mon, Jan 11, 1999 at 12:14:04PM -0500, Jeremiah Kristal put this into my mailbox:
> > On Mon, 11 Jan 1999, Phil Howard wrote:
> > <<snip discussion about how clueful operators filter RFC1918 addresses>>
> > Granted it's not that large an amplifier, but it seems odd that
> > even an RFC1918 network would be used as an amplifier for this long
> > without someone finding and securing it.
> If that were true, we wouldn't have smurf attacks at all. There are
> still many, many clueless or otherwise incompetent ISPs and/or companies
> out there (many of whom are large ISPs and/or telcos who should know better
> but don't) who have many, many smurf-amplifier netblocks. Heck, the US
> Military has half of the entries at netscan.org (and they're supposedly
> the ones worried about "cyber-terrorism").
> I've come to the unfortunate conclusion that very few people seem to care
> about system and network security until they are directly affected because of
> something they neglected. If it were otherwise, you wouldn't see "well-known"
> sites such as Yahoo, the NY Times, starwars.com &etc. getting hacked
> week after week.
> Much as I hate to say it, this seems to be one area where industry
> self-regulation has utterly failed. I don't know what would be a better
> solution; I hate to suggest government regulation. But I'm at a loss here.
> Dalvenjah FoxFire (aka Sven Nielsen) May the schwartz be with you!
> Founder, the DALnet IRC Network
> e-mail: dalvenjah at dal.net WWW: http://www.dal.net/~dalvenjah/
> whois: SN90 Try DALnet! http://www.dal.net/
Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
More information about the NANOG