-----BEGIN PGP SIGNED MESSAGE-----
Thus an oft-used response to an attack is to block traffic either to, or from, particular IP addresses. In the case of attacks involving forged source IP addresses, or reflected attacks such as SMURF, the only way to easilly block these attacks to prevent collateral damage, is to prevent all traffic from reaching the IP address concerned (filtering) until the attack has ceased (either as a consequence of a parallel act of tracing, or otherwise).
While I like the idea of your proposal, I see it as not working because it trusts information generated by the attacker that is not necessarily relevant to the success of the attack. As I am familiar with it, the smurf is generally successful not by flooding the target hosts LAN, but rather its upstream network connection. Infrastructure to take that one host off of the net quickly isn't going to help if its network thats being attacked. If this proposal becomes widely accepted, it will only succeed in getting someone to modify the exploit to allow the attacker to input a netmask, randomly flooding every IP sharing the same link. The effect will basically be the same, as far as I can tell. The information that you can trust is that your attacker will cause large quantities of ICMP echo-reply (or sometimes UDP) packets to enter your network from amplifier source addresses. The options I see are to either: - - Rate-limit or block ICMP echo-reply traffic, as close to the source as possible. This may be only at your network ingress, but it might be interesting to see if the backbones really need to allow more than 5-20% of the bandwidth of any link as ICMP echo-reply. - - Rate-limit or block traffic from amplifier source addresses. If a significant portion of the 'net were simply unavailable to these networks until they turned off directed-broadcast, they would get fixed much faster. A BGP RBL-style feed would be the most easily maintainable, but one could even just write a script to take the top 100 off of netscan.org and add them access-lists. Aaron Hopkins aaron@cyberverse.com Chief Technical Officer, Cyberverse Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBN4pqK0fJWHAEvsjBAQFx8AQA8PdtkbbBlUsy0qjI97pnR+CkHm2p/UI+ /JD5sHNfWEy9q2ZiKjyYjNdBO1cKzFTmt8C0xr/suo1/W1i3WCOWxe2l3xYZE039 nNs3UWmCrElYPOXR38zbppwqTsgGqqqB69d2TVEGnex+0qi2Su/vHdD+BWrnothv +n7krDXg0Fw= =CC9p -----END PGP SIGNATURE-----