Dan Hollis replied:
On Mon, 19 Oct 1998, Phil Howard wrote:
Dan Hollis wrote:
The last site I dealt with took _3 weeks_ to close their amplifiers once they were notified. And this was a multimillion dollar publishing company. Wow, you sure get them to act quickly! How did you manage to get a big monstrous behemoth like "corporate america" to move that fast? :-)
They did nothing for two weeks, then their upstream threatened to pull their connection.
If there were only some way to blackhole smurf amplifier routes globally... sigh.
There is. The method involves a software design change in the routers. For each arriving packet, in addition to doing a routing lookup based on the destination, also do a routing lookup based on the source address. If the interface the packet arrived on is NOT in the list of addresses that routing back to the source suggests, then discard the packet. That will drop the majority of packets before they even read smurf amplifiers, as they are generally forge-sourced to the ultimate target of the attack. The first router hop with this implemented where the source address is invalid will stop the attack. The core backbone probably does not need to have this enabled, but all the leafs from it should to ensure no forged sources can get through. I have access list filters in place that block all sources from other than my network space. I also block all incoming to *.*.*.255. There should be no smurf originations or amplications in my network (except non-forged from within, which we can deal with anyway, e.g. cancel, fire, prosecute, etc.). -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --