North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement)
On Sun, 28 Dec 1997, Karl Denninger wrote: > > are ICMP attacks. If you filter ICMP, then I'll start flooding with > > spoofed source addresses TCP packets with random sequence numbers and from > > IPs. What, you're going to ask routers to track all the TCP connections > > going through them now for validation? Erm, how many CPUs more are we > > going to need..? :) > > If you did this the trace would be TRIVIAL. > Huh? ICMP floods vs TCP floods. Aren't they both IP or have I missed something glaringly obvious. > Then, the source network of the problem gets BGP-dropped until they kill the > source account and/or connection. This reduces smurfing to a ONE TIME > event, makes prosecution easy (anyone who thinks that such an attack, > launched on interstate facilities, against any regional or larger ISP isn't > something the Feds will want to get into is dreaming - its a slam-dunk that > the limits on damage have been exceeded) and further, raises the bar on > people who claim that they "can't fix this". > Yep. > All you need to do is prevent out-of-bounds traffic from being sent into > your dedicated and dial equipment, and the problem now becomes trivial > to solve. > Yep. > If it can be EASILY traced, it will stop being done. If you put these > filters in place, the Smurfer will try to use a forged address and be dismayed > when *nothing happens*. What's better, he won't KNOW that he's been > filtered, and if you log the attempts you will know that someone tried and > failed - which is a perfect reason to cancel their service. Yep. Ok, so I agree with you completely. I thought I had made myself rather clear in the beginning. Oh well. I for one will be looking at integrating it into the setup here. Bar possible router load issues, it is a good idea and means when (and if) spoof attacks originate from our networks I can happily point to the client rather easily. :) adrian
|