Solution: Re: Huge smurf attack

Daniel Senie dts at
Tue Jan 12 03:30:41 UTC 1999

Phil Howard wrote:
> Jon Lewis wrote:
> > This might not be allowed under existing service contracts.  Most
> > providers probably have provisions to disconnect for network abuse...but
> > not for cluelessness.
> Then we need to re-classify having an open broadcast amplifier as an
> abuse.  If we can get upstreams and backbones to give a formal 30 day
> notice, then start cutting lines ...

I think this could easily be classified as abuse or abuse through
negligence (reckless endangerment?). Provider contracts should specify
that downstreams must deal with ingress filtering and must ensure their
networks will not respond to directed broadcasts from outside.

> OTOH, what about just declaring that X.X.X.{0,255} is off limits
> regardless of the network size?  It would take just 2 access list
> entries to make those addresses in networks larger than /24 to be
> mostly useless.  There aren't that many LANs out there that would
> have real non-broadcast use on these addresses, anyway.  I block
> these coming in to my network as destinations, and I'm tempted to
> block them as sources, as well.  Once these addresses are indeed
> off limits, then the next step is to get backbones to put in the
> access lists.

No. This is not a good plan. There are indeed networks out there with
supernetted LANs. I consult for a large research institution which uses
/22 masks for all subnets, and heavily uses them. The chances of
clobbering perfectly legitimate addresses is real. Beyond this, there
are plenty of /25 networks that'll do a perfectly good job of playing
smurf-amplifier. The solution isn't to apply access lists.

The proper answer to this is to disable directed broadcasts on the
routers themselves. It'd be helpful if routers came out of the box with
this feature disabled by default. Perhaps folks should talk with their
router vendors of choice and ask for this change. I have submitted a
draft into the IETF process to require this change, updating RFC 1812
(router requirements).

Unfortunately directed broadcasts, like ingress filtering, are items
that have to be properly dealt with at the edges of the network. I do
wonder if we will start seeing network providers' legal departments
start taking notice of the situation. Negligence in operating a network
and becoming an unwitting accessory to a crime might raise the level of
urgency in getting folks to address both ingress filtering and directed
broadcast issues. I would prefer to see this handled by the technical
folks without getting the legal types into the fray, but worry that some
will not take the urgency to heart.

Daniel Senie                                        dts at
Amaranth Networks Inc.  

More information about the NANOG mailing list