Hi, getting Smurfing "under control" takes two things: o All router administrators on the immediately reachable Internet needs to turn off directed broadcasts on their router interfaces. It's conceivable that "a significant portion of all" would do as well, but the magnitude of this problem boggles the mind. First of all, we'd need to distribute the appropriate amount of clue to all the corners of the net where this needs to happen. Maybe, just maybe, we'll get there sometime (I'm an optimist!). o Making sure source IP address spoofing isn't as easily done as it is now. Also an easy one, right? ;-) Anyone have any idea where most of the attacks originate: dial-up ports or from folks more directly connected to the net? (I'd bet on a happy mix ;-) Equipment providers can offer some help here in offering an effective and efficient knob which can do the equivalent of "RPF"ing on unicast traffic (if you don't have a route back to the source and the route doesn't point to the incoming interface for the packet, drop it on the floor). Obviously, this assumes symmetric traffic patterns, which are typical at the edges of the network but not quite so typical in our/your modern backbone networks. o While we struggle with the above two, at least some service providers need to become more responsive in tracking these sort of events back to their real source. No names mentioned, none forgotten. o Lastly, I think that better tools are needed to track this sort of attacks back to their source (?). I'm not saying these battles should not be fought; far from it, but it's probably going to take a while before any of these can have any significant effect on the problem. - Håvard
o All router administrators on the immediately reachable Internet needs to turn off directed broadcasts on their router interfaces. It's conceivable that "a significant portion of all" would do as well, but the magnitude of this problem boggles the mind. First of all, we'd need to distribute the appropriate amount of clue to all the corners of the net where this needs to happen. Maybe, just maybe, we'll get there sometime (I'm an optimist!).
why should this not have become the default mode for all vendor diustributed router code? randy
At 5:52 PM -0500 2/13/98, Randy Bush wrote:
o All router administrators on the immediately reachable Internet needs to turn off directed broadcasts on their router interfaces. It's conceivable that "a significant portion of all" would do as well, but the magnitude of this problem boggles the mind. First of all, we'd need to distribute the appropriate amount of clue to all the corners of the net where this needs to happen. Maybe, just maybe, we'll get there sometime (I'm an optimist!).
why should this not have become the default mode for all vendor diustributed router code?
Because routers used by regular companies on their intranets generally need to propogate directed broadcasts so that protocols and software that use directed broadcasts in a subnetted environment will work properly. Its only at the borders of other companies (such as ISP's) that directed broadcasts have to be turned off. Even ISP's that use things like HPOV SNMP host discovery internally need to permit internal directed broadcasts. But they shouldn't go outside your network, and you probably don't want them coming in from the outside to your internal network. It would be a bad default, since the less experienced net-admin at a private company might not understand why broadcasts don't work, whilst the more sophisticated net-admins supposedly found at ISP's and NSP's know about these things, and usually have some tools to quickly configure routers in cookie-cutter fashion, making the defaults unnecessary ;-) --Dean ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
On Fri, 13 Feb 1998, Dean Anderson wrote:
At 5:52 PM -0500 2/13/98, Randy Bush wrote:
o All router administrators on the immediately reachable Internet needs to turn off directed broadcasts on their router interfaces. It's conceivable that "a significant portion of all" would do as well, but the magnitude of this problem boggles the mind. First of all, we'd need to distribute the appropriate amount of clue to all the corners of the net where this needs to happen. Maybe, just maybe, we'll get there sometime (I'm an optimist!).
why should this not have become the default mode for all vendor diustributed router code?
Because routers used by regular companies on their intranets generally need to propogate directed broadcasts so that protocols and software that use directed broadcasts in a subnetted environment will work properly. Its only at the borders of other companies (such as ISP's) that directed broadcasts have to be turned off.
If the ICMP packet is permitted in to the internal network then it doesn't matter where the network is, only that it have sufficient bandwidth to generate the necessary traffic out to the border (from the smurfer's POV). This is why it needs to be turned off on all LAN segments (assuming it isn't used for other things).
Even ISP's that use things like HPOV SNMP host discovery internally need to permit internal directed broadcasts. But they shouldn't go outside your network, and you probably don't want them coming in from the outside to your internal network.
How often is SNMP host discovery done? Can't HPOV be directed to just discover on a specific network? bye, ken emery
On Fri, 13 Feb 1998, Dean Anderson wrote:
If the ICMP packet is permitted in to the internal network then it doesn't matter where the network is, only that it have sufficient bandwidth to generate the necessary traffic out to the border (from the smurfer's POV). This is why it needs to be turned off on all LAN segments (assuming it isn't used for other things).
If you enable broadcast forwarding on a cisco, thats true. But you should have access filters in place at your borders to prevent directed broadcasts to your networks and subnets. Internally, directed broadcasts are (often) used. The main thing is to prevent others from using them, either unnecessarilly, or maliciously.
How often is SNMP host discovery done?
It's configurable. I think the default shipped is every 15 minutes. I usually turn it down to once a day.
Can't HPOV be directed to just discover on a specific network?
It can, and in fact it should be. But if you have turned off forwarding directed broadcasts on that network, it won't work. --Dean ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
On Fri, Feb 13, 1998 at 06:36:06PM -0500, Dean Anderson wrote:
It would be a bad default, since the less experienced net-admin at a private company might not understand why broadcasts don't work, whilst the more sophisticated net-admins supposedly found at ISP's and NSP's know about these things, and usually have some tools to quickly configure routers in cookie-cutter fashion, making the defaults unnecessary ;-)
Oh, _obviously_, Dean. :-) Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Two words: Darth Doogie." -- Jason Colby, Tampa Bay, Florida on alt.fan.heinlein +1 813 790 7592 Managing Editor, Top Of The Key sports e-zine ------------ http://www.totk.com
On Fri, 13 Feb 1998, Randy Bush wrote: ==>> o All router administrators on the immediately reachable ==>> Internet needs to turn off directed broadcasts on their router ==>> interfaces. It's conceivable that "a significant portion of ==>> all" would do as well, but the magnitude of this problem ==>> boggles the mind. First of all, we'd need to distribute the ==>> appropriate amount of clue to all the corners of the net where ==>> this needs to happen. Maybe, just maybe, we'll get there ==>> sometime (I'm an optimist!). ==> ==>why should this not have become the default mode for all vendor ==>diustributed router code? Because the routing RFC[1] states: --- A router MAY have an option to disable receiving network-prefix- directed broadcasts on an interface and MUST have an option to disable forwarding network-prefix-directed broadcasts. These options MUST default to permit receiving and forwarding network-prefix- directed broadcasts. --- "network-prefix-directed broadcasts" are the ones spoken of here. A router *MUST* have an option to turn them off and *MUST* default to forwarding them. The "MAY" stated here (to clarify) means that the router MAY choose not to respond to another host pinging a broadcast address. [1] RFC-1812, "Requirements for IP Version 4 Routers"; F. Baker; June 1995. /cah
On Fri, 13 Feb 1998, Randy Bush wrote:
o All router administrators on the immediately reachable Internet needs to turn off directed broadcasts on their router interfaces. It's conceivable that "a significant portion of all" would do as well, but the magnitude of this problem boggles the mind. First of all, we'd need to distribute the appropriate amount of clue to all the corners of the net where this needs to happen. Maybe, just maybe, we'll get there sometime (I'm an optimist!).
why should this not have become the default mode for all vendor diustributed router code?
randy
While I would argue that directed broadcasts should be off by default, I recently read RFC 1812 (Requirements for IP Version 4 routers) and found the following in section 4.2.2.11: (d) { <Network-prefix>, -1 } Directed Broadcast - a broadcast directed to the specified network prefix. It MUST NOT be used as a source address. A router MAY originate Network Directed Broadcast packets. A router MUST receive Network Directed Broadcast packets; however a router MAY have a configuration option to prevent reception of these packets. Such an option MUST default to allowing reception. Until the RFC gets modified router vendors will probably allow reception of directed broadcasts by default to remain compliant with RFC 1812. David.Schmidt@ior.com Internet Ventures, Inc. (509)622-2878 x238 Spokane, Washington http://www.perki.net/ (509)622-2872 (fax)
On Fri, 13 Feb 1998 Havard.Eidnes@runit.sintef.no wrote:
Anyone have any idea where most of the attacks originate: dial-up ports or from folks more directly connected to the net? (I'd bet on a happy mix ;-)
A common theme seems to be cable modems -- I fear that some cable companies have more money than brains and provide their users with huge bandwidth and no IP spoof checking... It seems to me that the only way to stop IP spoofing is to implement a small amount of regulation (ugly word, I know). If MCI, Sprint, and all other larger players simply stated that one cannot connect to their network without a router audit of some kind, most of these problems would go away. If I were Joe ISP and I was told that my carrier is allowed to, at any time, audit my router config, and shut me down if I didn't have the rules set right, I would be pretty sure to make sure I got things right. Just a thought...
On Fri, 13 Feb 1998, Steve Camas wrote:
It seems to me that the only way to stop IP spoofing is to implement a small amount of regulation (ugly word, I know). If MCI, Sprint, and all other larger players simply stated that one cannot connect to their network without a router audit of some kind, most of these problems would go away. If I were Joe ISP and I was told that my carrier is allowed to, at any time, audit my router config, and shut me down if I didn't have the rules set right, I would be pretty sure to make sure I got things right.
Nice idea...but at least some of the bigger providers are already spread so thin they can't monitor their own routers. When are they going to find the time to read router configs for their customers' routers? They'd have to hire more staff for this...and they'd have to actually pay more than minimum wage. ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/message. Florida Digital Turnpike | ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
participants (9)
-
Craig A. Huegen -
David J. Schmidt -
Dean Anderson -
Havard.Eidnes@runit.sintef.no -
Jay R. Ashworth -
Jon Lewis -
ken emery -
Randy Bush -
Steve Camas