<mixter@newyorkoffice.com> 05/13/00 07:19PM >>>
Hi, I'm sorry it took me so long to reply. I couldn't find the particular message, and there seemed to be a couple of new ones, so I'm posting my reply here... It is true that with the proposed solution, attackers can still launch smurf attacks with the broadcast of a local LAN, however they cannot use arbitrary broadcasts to commence smurf attacks. They have to get inside access on every subnet they want to smurf from, which also means they can be tracked down by looking at the broadcast replies to the victim. Also, it is true that the bandwidth of a smurf is a multiple of the attackers bandwidth, so it is relevant. But launching *smurf* attacks (not DDOS) from anything as fast as an OC-12 would simply overload the used broadcast addresses. The maximal bandwidth of each broadcast reply is the bandwidth of the subnet whose broadcast you're pinging, it is not limited only by your own bandwidth. That's also the point why only the use of *many different* broadcasts at a time can launch a devastating attack. You would have to operate from several moderately-fast boxes, e.g. smurf with 100 different broadcast addresses, each from one T1, or smurf them from a T3, cycling through the broadcast list, in order not to concentrate to much bandwith on a single broadcast, which could overload the broadcast itself (like the smurf.c programs do). Additionally, the proposed solution is obviously meant to be implemented along with ingress traffic policing. If a subnets external router uses both rfc1122 and ingress filtering rules, there is no chance for an outside or inside attacker to ever launch a broadcast amplifier flood. On Fri, 12 May 2000, Vipul Shah wrote:
Mixter,
Currently, we have started a discussion thread on NANOG mailing list for DDoS Smurf attack solution... http://www.merit.edu/mail.archives/nanog/
One of the response (attached mail) says that, such Smurf attack is not effective unless it is launched from sites with switched ethernet and OC-3 or better connectivity. Hence it is not beneficial to any attacker.
Since I don't have experience/knowledge about which kind of sites are compromized for generating attacks, I suggest , if you can reply to the attached mail (either to me or directly to NANOG list). Like kind of networks used for launching attacks and typical number of DDoS agents. Such knowledge will help us to finalize , whether the proposed solution is useful to implement or not?
Thanks, Vipul