On Thu, 21 Aug 1997, Alex "Mr. Worf" Yuriev wrote:
Short of fixing every network on the internet, does anyone have any useful advice for what to do when smurfed? This happened to an FDT customer last night, and it had our T1 (according to uunet) at about 500% capacity. Obviously, until the attack stopped, our T1 wasn't too useful. I'm about
< close to just asking uunet to block all icmp echo replies from coming into FDT...but I know customers will complain.
Then they will start blasting UDP at you. Trust me, T1 is not that bad. We periodically have DS-3s eaten up completely but it happens for such a short time that it cannot really be traced :(
Perhaps. The trouble is, when we get smurfed, our T1 becomes totally useless. While talking to UUNet and Cisco about the problem, Cisco suggested traffic shaping on the UUNet 7500 we connect to. If they did that, and told the 7500 not to send >1.5mb/s for us to the cascade, then would the 7500 be smart enough to prioritize the packets such that the icmp get dropped and tcp and udp go through? The main problem, AFAICT, is that the cascade deals very badly with the situation where it has 7mb/s of traffic for a 1.5mb/s pipe. UUNet did not seem terribly receptive to the idea. ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/message. Florida Digital Turnpike | ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____