Home page logo

nanog logo nanog mailing list archives

Re: SMURF amplifier block list
From: Dean Anderson <dean () av8 com>
Date: Fri, 17 Apr 1998 18:33:24 -0400

:I will concede that shutting off connectivity to a site by a large enough
:chunk of the net should get someone to fix stuff....  But part of the
:advantage of the MAPS RBL BGP feed is that it helps to cut down spam
:coming into your network.  A BGP feed TODAY won't block a ping
:amplification attack aimed at your network or a downstream.  All it will
:do is prevent your customers from using the ping amplification networks to
:launch an attack.   And, if you have the appropriate anti-spoofing filters
:in place, they shouldn't be able to attack anything other than the valid
:source addresses you have in your outbound filter set.

MAPS RBL BGP feed blocks all traffic back to a given network, after a
spamming event. It doesn't do too much to stop an in progress event, since
it doesn't respond that quickly with updates. (part [most?] of the delay is
Vixie's investigation)  Its effective because it puts a lot of pressure on
networks that hosts spammers to make sure it doesn't happen again.  Thus,
it tends to reduce spam.

Likewise, a Smurf BGP feed won't stop an in-progess attack, but it will put
a lot of pressure on smurfable networks to make sure they aren't smurfable
in the future.  And thats a pretty good tool, even if its not 100%


           Plain Aviation, Inc                  dean () av8 com
           LAN/WAN/UNIX/NT/TCPIP/DCE      http://www.av8.com
           We Make IT Fly!                (617)242-3091 x246

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]