After dealing with UUNet security regarding several smurf incidents I asked them this same question. Their response (and I'm sure it would be the same response of others) was that a lot of the routers on their network couldn't handle the load of using CEF-CAR to limit smurf attacks. I'm not sure how true that statement was since I'm not familiar with any part of UUNet's backbone equipment other than what I used to get my DS3 from at Insync and now with my MAE Houston connection, but from what I've heard the backbones of a lot of NSP's aren't all made up of Cisco 12000's or even 7500's, and I'd guess a fair amount of the existing routers out there are borderline overloaded since it's next to impossible to get most backbone providers to filter traffic when you're under attack. UUNet certainly wouldn't for us because of "router CPU overhead" last time I was under attack. Just my $.02... -- Joseph W. Shaw - jshaw@insync.net Freelance Computer Security Consultant and Perl Programmer Free UNIX advocate - "I hack, therefore I am." On Sat, 1 May 1999 alex@nac.net wrote:
To help quench the effects of smurf attacks on our network, we CEF-CAR all ICMP on our egress points to about 200% of normal ICMP flows.
However, when a upstream becomes full of ICMP (even though we dump most of it), it still affects our external connectivity.
My question is, why don't larger upstream providers use CEF-CAR (assuming that most use this) do the same to limit the effect of smurf attacks on thier (and subsequently, thier customers') networks?