Solution: Re: Huge smurf attack

Phil Howard phil at
Wed Jan 13 19:23:46 UTC 1999

Brandon Ross wrote:

> We don't ask our vendors to provide equipment with directed broadcast
> turned off by default for our own use or use by any clueful operator.  The
> reason we require directed broadcast to be turned off by default is so
> that when a less-than-clueful operator gets a hold of the same box, they
> don't become yet another smurf amplifier that ends up being used to attack
> us. If and when I have the leverage with a vendor to get this implemented,
> I use it, every single time.

and also wrote:

> Yes, but, do you have any idea how many tech support calls would be
> generated by our customers complaining that they can't ping or be pinged?
> Our service is advertised as unrestricted Internet access.  Our customers
> rightfully expect to be able to ping out as well as be pinged.  If we
> blocked all echo throughout our network, we would be completed flooded
> with technical support calls.  Doing something like this, similar to the
> serveral suggestions to filter all .0 and .255 addresses, is an attempt to
> fix the symptom instead of the real problem.

Filtering .0 and .255, or filtering echos or ICMPs, are all indeed a form
of "fixing" the symptom.  These things are being done because fixing the
cause isn't practical.

But what is the cause?  Is it that kids with scripts will attack and try
to bring down an IRC server or the network that hosts it?  Or is it that
they have the scripts in the first place?  Or is it that they are using
networks that allow them to do this in the first place?

Fixing the kids heads, I'm sure we all agree, would be the correct solution.
But I don't believe this is really practical or possible.  So what should be
done is to make it so that they have no effect.

The cause of burglaries and thefts is bad people.  So we put up fences and
iron gates, install TV cameras in convenience stores, hire more security
guards and police officers, enact laws with longer criminal sentences.  But
all of this is technically addressing the symptom of the problem.  However,
doing so is often the only practical way.

So my position is that until we do have a practical solution to solve the
cause of the problem, we simply have to deal with the effects the best we
can, and this does mean dealing with and addressing the symptoms so that
we do not suffer the effects.

The question is just what steps are the ones we should do.

I admire Mindspring's position of making Internet access unrestricted.
But what is the real motivation?  Is it the goal of "perfect IP" or is
the business case of decreasing tech support costs?  They are, afterall,
in the business of providing consumer dialup access, and as we all know
that line of business is very costly in areas of tech support.  Network
attacks are also a real cost.  I would suggest that treating some of the
symptoms, at least for now, will cut some costs until the day that we
can achieve the utopian goal of the perfect solution to the cause.

 --    *-----------------------------*      Phil Howard KA9WGN       *    --
  --   | Inturnet, Inc.              | Director of Internet Services |   --
   --  | Business Internet Solutions |       eng at        |  --
    -- *-----------------------------*      philh at       * --

More information about the NANOG mailing list