North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: smurf

  • From: Dean Anderson
  • Date: Mon Dec 08 13:24:35 1997 
At 11:48 AM -0500 12/8/97, Karl Denninger wrote:
>On Fri, Dec 05, 1997 at 10:05:13PM -0700, Wayne Bouchard wrote:
>> Okay, so I'm now blocking 45 megs of icmp echo-reply packets at my
>> borders.. At one point, this was 80,000 packets/sec. (No, I'm
>> not exagerating.)
>>
>>
>> <SoapBox>
>>
>> For anyone who has not, PLEASE DISABLE DIRECTED BROADCASTS!

Yes. Disable directed broadcasts to your own internal networks. I suspect
these are most often sent by mis-configured snmp management systems. You
probably don't want them trying the manage/monitor your devices anyway.
Just don't break SNMP and ICMP for remote networks.

For example, we use SNMP (HP Open View) to manage and monitor our clients
networks remotely.  HP Open View uses pings every 5 to 15 minutes to detect
if a  machine is still up.  It uses directed broadcasts and mask requests
to detect new machines and map the remote network.  When something 'host
down' event happens, we automatically detect whether it's an ISP event or a
customer event, and take the appropriate action. We expect intermediary
ISP's to pass ICMP from our network to their network.  So directed
broadcasts to the customer network should be controlled by the customer's
policy, even when the CPE router is managed by the ISP. (I don't know of
any ISP/NSP that doesn't or won't do this).

>> Tell a friend.. If you sell routers to clients and/or you
>> configure them, include that in your default configuration.

Yes, do that. we need more work of the simple, but expensive kind. ;-)

>> Encourage people to filter inbound ICMP where possible..

Umm. No. Don't do that. ICMP is necessary for flow control and congestion
management.  Not to mention traceroute and ping use echo reply, and are
handy.

If you have 80,000 users each doing a ping once per second, then you
probably need to provision more than a t3. But only 30 t1 users need to
ping -f to load up a t3.  So you need to figure out who the 30 or so are,
and shut them down quickly. What might be more useful is a way to detect
ping floods from a specific source, and automatically send them back source
quenches. That is, tell them to shut their hole, uh, pipe.  Umm, program to
do this? me? maybe. I'll post when/if I do it.


		--Dean


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
           Plain Aviation, Inc                  [email protected]
           LAN/WAN/UNIX/NT/TCPIP          http://www.av8.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++