On Sat, 17 Oct 1998 Havard.Eidnes@runit.sintef.no wrote:
Lastly, I'd like to get some idea as to how best to attack this problem
Well, it is far from the best solution, but here's a suggestion that may be feasible in the interim (ie, while whacking on owners of smurf-amlifiable networks): - establish a site similar to the RBL, as an anti-smurf clearinghouse - have said site do BGP peerings, and announce, as /32's, the broadcast addresses of smurf-nets - have enough major-backbone networks use this mechanism to significantly dampen smurf until it becomes an occasional, localized nuisance Note that doing these as /32's means connectivity to the genuine network is unaffected. Only packets destined for broadcast addresses, ie smurf attacks, will be blackholed - and this before they get amplified. While the total number of network entries may be large initially, aggressive efforts by providers to take ownership of pieces of address space belonging to customers, may quickly reduce the global requirements. E.g., If provider X has 1000 such networks belonging to his single-homed customers, and he static-routes these 1000 /32's himself, this offloads the centralized anti-smurf AS. If 20 such ISPs do this, most of the problem goes away. Major backbones ought not bear the brunt of much of this sort of junk, but in this instance, it may be the best place to do this. The big ISPs will generally have enough memory on their core nodes to handle the additional routes, will be running CEF (so can discard smurf traffic almost for free), and will have much greater effectiveness in doing this. However, the more ISPs that involve themselves, the closer to the offender the traffic will get nuked, and the more likely that the attemt will be logged by the offender's ISP and thus result in termination due to violation of ISP's policies (you do have policies against DoS, right folks?). Comments? -- Brian Dickson, Email: briand@teleglobe.net Teleglobe USA, Inc., Tel : +1 703 821 4818 Suite 400, 8251 Greensboro Drive, Fax : +1 703 821 4885 McLean, Virginia, USA, 22102 http://www.teleglobe.com