Smurf tone down
bicknell at ufp.org
Sat May 1 13:02:22 UTC 1999
In a previous e-mail, alex at nac.net said:
> My question is, why don't larger upstream providers use CEF-CAR (assuming
> that most use this) do the same to limit the effect of smurf attacks on
> thier (and subsequently, thier customers') networks?
There are several issues with doing this, any one of which might
prevent a provider from using it.
1) Can't run CEF. There are some situations under which CEF causes
problems. The good news is these are getting to be fewer and fewer
every day, but as recently as 6 months ago it would regularly crash
routers with some line cards under heavy loads. I expect this reason
to disappear completely within another 6 months.
Also, in the can't run catagory there are some (usually smaller)
providers still using 7000's, 4000's, and other (dare I say even
2501's?) for customer attach.
2) Can't spare the CPU. Sometimes this has to do with the load of CAR,
although generally I expect this is due to other things. If you have
150-200 T1 customers on a 7513 (easy to get with CT3 cards) and you
run BGP to even just 25% of them, and you still have RSP2's then
you probably don't have CPU to even think about giving to CAR, no
matter how little it uses.
3) Can't manage it. Providers are understaffed with clueful people.
That's a universal truth. If you have 1000 customers, that's 1000
CAR entries to make, 1000 people who may ask why packets get dropped
when they do some ICMP thing, 1000 people who might bug you to change
to access list parameters.
When you have a lot of customers it's probably best to make an
all or nothing decision, one off's in large networks tend to make
junior engineers make mistakes when they don't understand what's
really going on.
4) Don't care. I don't mean this in shallow "screw the customer" way.
Rather, if you're a large provider and you provide service to a
small provider who's being smurfed you might assume the small
provider did something to prevoke the attack, and as such the
burden should be on them to track down the sources and report
them so they can be perminantly shut off. If it doesn't saturate
your links and your routers it's not your problem.
5) It's none of their business. This one works people up. The logic
goes like this. If my provider CAR's ICMP automatically, why don't
they also CAR porn automatically, so it's only a little traffic.
Oh, and SPAM, that should be CAR'ed to help reduce it. All e-mail
to and from a competitor, that should be CAR'ed really low....
It's a dangerous road to go down.
My $0.02 is I would be very upset if my provider automatically
put any sort of "filter" (including CAR) on my links. I do think it
is reasonable for them to make whatever effort they can to help me
if I get smurfed though. The effort may be CAR, it may be simple
filtering, it may be a legitimate "our routers can't take it".
Leo Bicknell - bicknell at ufp.org
Systems Engineer - Internetworking Engineer - CCIE 3440
Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org
More information about the NANOG