Home page logo
/

nanog logo nanog mailing list archives

Re: SMURF amplifier block list
From: Joe Shaw <jshaw () insync net>
Date: Wed, 15 Apr 1998 15:32:43 -0500 (CDT)


On Wed, 15 Apr 1998, Pete Ashdown wrote:

We should be concerned about receiving pings floods from two single
addresses?  The the IP size of the network also figures into the nature of
the attack.  Smurfing is made easier by large subnets without
directed-broadcast turned off.  It is a lot more work to get the same
results from networks smaller than a /27.

This is directed towards everyone who's been fortunate enough to take
part in this discussion, not necessarily you Mr. Ashdown.

If you've got an ISDN line or better, you can successfully ping flood a   
/30 broadcast address with larger than normal packets and take down a   
smaller link (ISDN or modem).  It wouldn't be as effective as a /27, /24 
or greater, but enough /27's and you'd have the same effect, though it'd
me more resource intensive on the attackers end than just going after a
/24 or greater broadcast address.

Regardless, it doesn't matter what broadcast they ping, as they have
varying degrees of effectiveness.  What really matters is if we've put
the same amount of effort into fixing our networks as we have arguing
about who's responsibility it is to fix it and what the best course of
action is. If you've got filters on your network to keep you from being a
smurf amplifier, then great.  If you've got filters on your router to keep
your customers from starting smurf attacks, then great.  But if you've only 
got one and not the other, then you're just doing a half assed job.  I
agree that IP directed broadcasts should be turned off on everyone's
routers, and those that ignore the problem or refuse to fix it should be
made to deal with it for the greater good of the Internet at large.  But
if my customers can smurf out, I'm just as guilty as the people who don't
fix IP directed broadcasts.

As stated earlier, spoofed traffic is the #1 cause of most denial of
service attacks released in the last 6-12 months.  It doesn't make any
sense why most people who consider themselves responsible admins would
rather bicker over responsibility than fix their networks and be done with
it.  If everyone but the few networks that allow directed broadcasts fixed
spoofing packets from their customers leaving through their network, it
would seem that smurf/fraggle/teardrop/land/etc. would have all been only
mildly effective, and must easier to trace back.

My $0.02

Regards,
Joe Shaw - jshaw () insync net
NetAdmin - Insync Internet Services
Fortune: 43rd Law of Computing: Anything that can go wr
         fortune: Segmentation violation -- Core dumped



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault