Actually, I think all major providers use automatic provisioning systems which generate router configs. They don't need to rely on router vendors to set particular defaults. If all major providers made sure their provisioning systems turned off directed broadcast, a lot of the problem would go away. So "Router defaults" is a lame excuse for ISP's. Even little ISP's have a list of things they have to setup, (eg ip classless, subnet zero, etc) which have "legacy" or otherwise inappropriate defaults. And yes, some customers may in fact want or need directed broadcasts on. For example, if they are subnetting. In that case, you change it for them. I tell our customers certain things are turned off by default, and if they really want it on, they will need to ask. Of course, the problem remains that some smurfers are undoubtedly on this list, possibly working for major providers. (This is my guess as to source of the 10.x smurf amps.) --Dean At 02:05 AM 1/12/1999 -0500, Brandon Ross wrote:
On Mon, 11 Jan 1999, Daniel Senie wrote:
The proper answer to this is to disable directed broadcasts on the routers themselves. It'd be helpful if routers came out of the box with this feature disabled by default. Perhaps folks should talk with their router vendors of choice and ask for this change. I have submitted a draft into the IETF process to require this change, updating RFC 1812 (router requirements).
I'm happy to say that progress is being made in this area. When a vendor comes to us for the first time, one of things I tell them is that we will not buy their hardware until they ship with directed broadcast disabled by default. We've had a lot of success in this area, we'd have even more if others would do the same.
Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com ICQ: 2269442
Stop Smurf attacks! Configure your router interfaces to block directed broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
On Tue, 12 Jan 1999, Dean Anderson wrote:
Actually, I think all major providers use automatic provisioning systems which generate router configs. They don't need to rely on router vendors to set particular defaults. If all major providers made sure their provisioning systems turned off directed broadcast, a lot of the problem would go away.
So "Router defaults" is a lame excuse for ISP's. Even little ISP's have a list of things they have to setup, (eg ip classless, subnet zero, etc) which have "legacy" or otherwise inappropriate defaults.
We don't ask our vendors to provide equipment with directed broadcast turned off by default for our own use or use by any clueful operator. The reason we require directed broadcast to be turned off by default is so that when a less-than-clueful operator gets a hold of the same box, they don't become yet another smurf amplifier that ends up being used to attack us. If and when I have the leverage with a vendor to get this implemented, I use it, every single time. Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com ICQ: 2269442 Stop Smurf attacks! Configure your router interfaces to block directed broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.
Brandon Ross wrote:
We don't ask our vendors to provide equipment with directed broadcast turned off by default for our own use or use by any clueful operator. The reason we require directed broadcast to be turned off by default is so that when a less-than-clueful operator gets a hold of the same box, they don't become yet another smurf amplifier that ends up being used to attack us. If and when I have the leverage with a vendor to get this implemented, I use it, every single time.
and also wrote:
Yes, but, do you have any idea how many tech support calls would be generated by our customers complaining that they can't ping or be pinged? Our service is advertised as unrestricted Internet access. Our customers rightfully expect to be able to ping out as well as be pinged. If we blocked all echo throughout our network, we would be completed flooded with technical support calls. Doing something like this, similar to the serveral suggestions to filter all .0 and .255 addresses, is an attempt to fix the symptom instead of the real problem.
Filtering .0 and .255, or filtering echos or ICMPs, are all indeed a form of "fixing" the symptom. These things are being done because fixing the cause isn't practical. But what is the cause? Is it that kids with scripts will attack and try to bring down an IRC server or the network that hosts it? Or is it that they have the scripts in the first place? Or is it that they are using networks that allow them to do this in the first place? Fixing the kids heads, I'm sure we all agree, would be the correct solution. But I don't believe this is really practical or possible. So what should be done is to make it so that they have no effect. The cause of burglaries and thefts is bad people. So we put up fences and iron gates, install TV cameras in convenience stores, hire more security guards and police officers, enact laws with longer criminal sentences. But all of this is technically addressing the symptom of the problem. However, doing so is often the only practical way. So my position is that until we do have a practical solution to solve the cause of the problem, we simply have to deal with the effects the best we can, and this does mean dealing with and addressing the symptoms so that we do not suffer the effects. The question is just what steps are the ones we should do. I admire Mindspring's position of making Internet access unrestricted. But what is the real motivation? Is it the goal of "perfect IP" or is the business case of decreasing tech support costs? They are, afterall, in the business of providing consumer dialup access, and as we all know that line of business is very costly in areas of tech support. Network attacks are also a real cost. I would suggest that treating some of the symptoms, at least for now, will cut some costs until the day that we can achieve the utopian goal of the perfect solution to the cause. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
Hi. Let me a few words. I was talking to a few of this kids last months, and unfortunately everything is not so easy to fix. Yes, 99.9% of this attacks are _the kid's play_. I do not know how to fix kid's heads over the whole world, but let's imagine you have found some way to do it. And... let's be waiting for someone - not kid, from Iraq, for example, who use this as the electronic weapon. Why not? It's amazing but this kid's games have a positive effect among the negative ones. Yes, they cause a problems and make a troubles for someone. On the other hand, they allow you to see where do you have the weakness _BEFORE_ someone seriously try to exploit this. As we are talking here - the pike (in the river) don't allow other fishes to slumber (sorry for the bad translation).
Fixing the kids heads, I'm sure we all agree, would be the correct solution. But I don't believe this is really practical or possible. So what should be done is to make it so that they have no effect.
So my position is that until we do have a practical solution to solve the cause of the problem, we simply have to deal with the effects the best we can, and this does mean dealing with and addressing the symptoms so that we do not suffer the effects.
On Wed, 13 Jan 1999, Phil Howard wrote:
So my position is that until we do have a practical solution to solve the cause of the problem, we simply have to deal with the effects the best we can, and this does mean dealing with and addressing the symptoms so that we do not suffer the effects.
I have to admit, your logical extension of my argument is valid. I suppose if we really wanted to fix the true case of the problem we would track down the parents of the abusers and punish them for not raising their kids properly. My choice of words was rather poor.
The question is just what steps are the ones we should do.
Right. The idea that I was attempting to get across is that the problem should be treated as close to the source as possible, and to treat the problem in the most user invisible manner possible. I do not believe that it is unreasonable to get networks that have not blocked amplifiers to do so. I also don't believe that it's unreasonable to get backbone providers to block spoofed traffic. Sure, it's definitely more difficult than just throwing some filtering at the problem, but I think it's worth the extra effort if it means that we still have access to a valuable tool like ping. If we as an industry push our vendors hard enough to get these features enabled by default in their equipment, then when a customer buys a new CPE router, they're one less problem to worry about.
I admire Mindspring's position of making Internet access unrestricted. But what is the real motivation? Is it the goal of "perfect IP" or is the business case of decreasing tech support costs? They are, afterall, in the business of providing consumer dialup access, and as we all know that line of business is very costly in areas of tech support. Network attacks are also a real cost. I would suggest that treating some of the symptoms, at least for now, will cut some costs until the day that we can achieve the utopian goal of the perfect solution to the cause.
The real motivation really is to provide unrestricted network access. Sure we're out to make money, we are a business after all, but we also have a set of ideals that we try to live up to as well. Regardless, even from a strict monetary point of view, while the smurf attacks against us are most certainly harmful, they don't cost us nearly as much as the tech support calls blocking ICMP echo would generate. Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com ICQ: 2269442 Stop Smurf attacks! Configure your router interfaces to block directed broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.
On Wed, 13 Jan 1999, Brandon Ross wrote:
Regardless, even from a strict monetary point of view, while the smurf attacks against us are most certainly harmful, they don't cost us nearly as much as the tech support calls blocking ICMP echo would generate.
How about originating smurf attacks? Does mindspring do filtering on dialups, or can mindspring users forge any source address they like? Does ANY major provider filter source addresses on their dialups? -Dan
participants (5)
-
Alex P. Rudnev -
Brandon Ross -
Dan Hollis -
Dean Anderson -
Phil Howard