Smurf tone down

Leo Bicknell bicknell at
Sat May 1 13:02:22 UTC 1999

In a previous e-mail, alex at said:
> My question is, why don't larger upstream providers use CEF-CAR (assuming
> that most use this) do the same to limit the effect of smurf attacks on
> thier (and subsequently, thier customers') networks?

	There are several issues with doing this, any one of which might
prevent a provider from using it.

1) Can't run CEF.  There are some situations under which CEF causes
   problems.  The good news is these are getting to be fewer and fewer
   every day, but as recently as 6 months ago it would regularly crash
   routers with some line cards under heavy loads.  I expect this reason
   to disappear completely within another 6 months.

   Also, in the can't run catagory there are some (usually smaller)
   providers still using 7000's, 4000's, and other (dare I say even
   2501's?) for customer attach.

2) Can't spare the CPU.  Sometimes this has to do with the load of CAR,
   although generally I expect this is due to other things.  If you have
   150-200 T1 customers on a 7513 (easy to get with CT3 cards) and you
   run BGP to even just 25% of them, and you still have RSP2's then
   you probably don't have CPU to even think about giving to CAR, no
   matter how little it uses.

3) Can't manage it.  Providers are understaffed with clueful people.
   That's a universal truth.  If you have 1000 customers, that's 1000
   CAR entries to make, 1000 people who may ask why packets get dropped
   when they do some ICMP thing, 1000 people who might bug you to change
   to access list parameters.

   When you have a lot of customers it's probably best to make an 
   all or nothing decision, one off's in large networks tend to make
   junior engineers make mistakes when they don't understand what's
   really going on.

4) Don't care.  I don't mean this in shallow "screw the customer" way.
   Rather, if you're a large provider and you provide service to a
   small provider who's being smurfed you might assume the small
   provider did something to prevoke the attack, and as such the
   burden should be on them to track down the sources and report
   them so they can be perminantly shut off.  If it doesn't saturate
   your links and your routers it's not your problem.

5) It's none of their business.  This one works people up.  The logic
   goes like this.  If my provider CAR's ICMP automatically, why don't
   they also CAR porn automatically, so it's only a little traffic.
   Oh, and SPAM, that should be CAR'ed to help reduce it.  All e-mail
   to and from a competitor, that should be CAR'ed really low....

   It's a dangerous road to go down.

	My $0.02 is I would be very upset if my provider automatically
put any sort of "filter" (including CAR) on my links.  I do think it
is reasonable for them to make whatever effort they can to help me
if I get smurfed though.  The effort may be CAR, it may be simple
filtering, it may be a legitimate "our routers can't take it".
Leo Bicknell - bicknell at
Systems Engineer - Internetworking Engineer - CCIE 3440
Read TMBG List - tmbg-list-request at,

More information about the NANOG mailing list