Solution: Re: Huge smurf attack

Dalvenjah FoxFire dalvenjah at DAL.NET
Tue Jan 12 17:46:34 UTC 1999


On Tue, Jan 12, 1999 at 11:39:17AM -0500, danderson at lycos.com put this into my mailbox:
> 
> I'm not sure what the big issue here is with the smurf attacks. If you set
> up some kind of access list that disables incoming icmp traffic, then turn
> directed broadcasts off on the interfaces, that's it. In most cases, you
> can't even get a packet into my AS unless its bound for dns machines or our
> website frontends. For those of you using Cisco gear, a simple 'no ip
> directed broadcast' in the interface subset will turn them off. In my mind,
> this takes care of all but two scenarios:

Unfortunately, things aren't quite that easy. You can't filter on your side
unless you have ATM links up the wazoo; the smurf still occupies your incoming
link. And many ISPs (uplinks) don't want to add filters on their side, because
of load on the router or something similar.

Even if that were the case, smurf attacks are getting so powerful that even
a large ISP is getting to be affected. A 200Mb+ smurf can take out, or at least
seriously hamper activity at the POPs of even large ISPs.

I agree that something like Cisco's CAR and blocking ICMP would help. But
when smurfer-wankerboy finds that he can't take out your network with a
small 15Mb smurf, he'll just find 10 of his skriptkiddie friends and get
them to join him, and take out your uplink with a 150-200Mb smurf.

Filtering on the victim side is unfortunately not the answer. Fixing the
broadcast addresses, unfortunately, is.

-dalvenjah

-- 
 Dalvenjah FoxFire (aka Sven Nielsen) "Hanging is too good for a man who makes 
 Founder, the DALnet IRC Network      puns; he should be drawn and quoted." 
 
 e-mail: dalvenjah at dal.net            WWW: http://www.dal.net/~dalvenjah/
 whois: SN90                          Try DALnet! http://www.dal.net/




More information about the NANOG mailing list