On Sun, 28 Dec 1997, Karl Denninger wrote:
are ICMP attacks. If you filter ICMP, then I'll start flooding with spoofed source addresses TCP packets with random sequence numbers and from IPs. What, you're going to ask routers to track all the TCP connections going through them now for validation? Erm, how many CPUs more are we going to need..? :)
If you did this the trace would be TRIVIAL.
Huh? ICMP floods vs TCP floods. Aren't they both IP or have I missed something glaringly obvious.
Then, the source network of the problem gets BGP-dropped until they kill the source account and/or connection. This reduces smurfing to a ONE TIME event, makes prosecution easy (anyone who thinks that such an attack, launched on interstate facilities, against any regional or larger ISP isn't something the Feds will want to get into is dreaming - its a slam-dunk that the limits on damage have been exceeded) and further, raises the bar on people who claim that they "can't fix this".
Yep.
All you need to do is prevent out-of-bounds traffic from being sent into your dedicated and dial equipment, and the problem now becomes trivial to solve.
Yep.
If it can be EASILY traced, it will stop being done. If you put these filters in place, the Smurfer will try to use a forged address and be dismayed when *nothing happens*. What's better, he won't KNOW that he's been filtered, and if you log the attempts you will know that someone tried and failed - which is a perfect reason to cancel their service.
Yep. Ok, so I agree with you completely. I thought I had made myself rather clear in the beginning. Oh well. I for one will be looking at integrating it into the setup here. Bar possible router load issues, it is a good idea and means when (and if) spoof attacks originate from our networks I can happily point to the client rather easily. :) adrian