On Tue, Jan 12, 1999 at 11:39:17AM -0500, danderson@lycos.com put this into my mailbox:
I'm not sure what the big issue here is with the smurf attacks. If you set up some kind of access list that disables incoming icmp traffic, then turn directed broadcasts off on the interfaces, that's it. In most cases, you can't even get a packet into my AS unless its bound for dns machines or our website frontends. For those of you using Cisco gear, a simple 'no ip directed broadcast' in the interface subset will turn them off. In my mind, this takes care of all but two scenarios:
Unfortunately, things aren't quite that easy. You can't filter on your side unless you have ATM links up the wazoo; the smurf still occupies your incoming link. And many ISPs (uplinks) don't want to add filters on their side, because of load on the router or something similar. Even if that were the case, smurf attacks are getting so powerful that even a large ISP is getting to be affected. A 200Mb+ smurf can take out, or at least seriously hamper activity at the POPs of even large ISPs. I agree that something like Cisco's CAR and blocking ICMP would help. But when smurfer-wankerboy finds that he can't take out your network with a small 15Mb smurf, he'll just find 10 of his skriptkiddie friends and get them to join him, and take out your uplink with a 150-200Mb smurf. Filtering on the victim side is unfortunately not the answer. Fixing the broadcast addresses, unfortunately, is. -dalvenjah -- Dalvenjah FoxFire (aka Sven Nielsen) "Hanging is too good for a man who makes Founder, the DALnet IRC Network puns; he should be drawn and quoted." e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/