Smurf tone down

Joe Shaw jshaw at
Sat May 1 06:52:02 UTC 1999

After dealing with UUNet security regarding several smurf incidents I
asked them this same question.  Their response (and I'm sure it would be
the same response of others) was that a lot of the routers on their
network couldn't handle the load of using CEF-CAR to limit smurf attacks.
I'm not sure how true that statement was since I'm not familiar with any
part of UUNet's backbone equipment other than what I used to get my DS3
from at Insync and now with my MAE Houston connection, but from what I've
heard the backbones of a lot of NSP's aren't all made up of Cisco 12000's
or even 7500's, and I'd guess a fair amount of the existing routers out
there are borderline overloaded since it's next to impossible to get most
backbone providers to filter traffic when you're under attack.  UUNet
certainly wouldn't for us because of "router CPU overhead" last time I was
under attack.

Just my $.02...

Joseph W. Shaw - jshaw at    
Freelance Computer Security Consultant and Perl Programmer
Free UNIX advocate - "I hack, therefore I am."

On Sat, 1 May 1999 alex at wrote:

> To help quench the effects of smurf attacks on our network, we CEF-CAR all
> ICMP on our egress points to about 200% of normal ICMP flows.
> However, when a upstream becomes full of ICMP (even though we dump most of
> it), it still affects our external connectivity.
> My question is, why don't larger upstream providers use CEF-CAR (assuming
> that most use this) do the same to limit the effect of smurf attacks on
> thier (and subsequently, thier customers') networks?

More information about the NANOG mailing list