North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SMURF amplifier block list

  • From: Brett Frankenberger
  • Date: Tue Apr 14 07:50:39 1998

:: Forrest W. Christian writes ::
> On Mon, 13 Apr 1998, Vadim Antonov wrote:
> >  Uh.  Just modify BGP routes from that feed to have a next hop pointing
> >  to a black hole.  route-maps are sometimes useful.
> Could someone PLEASE explain to me how this is accomplished?

Let's clarify this:

-- If you take the "black hole" feed, you probably route-map so that you
end up forwarding packets to the black-hole'd addresses nowhere,
instead of back towards "black-hole-route-server".  This (1) In no way
protects your network from being smurfed (unless you are being attacked
by your customers),  (2) Has a punitive impact on the amplifier
networks, in that their customers can no longer get to whatever
resources you offer (so their end-user customers get pissed), and
you're customers can't visit sites at the amplifier networks (so their
information/service provider customers get pissed).  This may lead to
the situation being corrected.  (It may also lead to some of your
customers being pissed.),  (3) Prevents your customers from smurfing
someone else via the black-holed amplifier networks (you may or may not

-- You can use the information obtained from such a blackhole feed to
protect your network, by creating access lists, or (why would you do it
this way?) creating route maps that route to a black-hole based on
source-address.  This cannot be done automatically in a cisco
router[1].  Something would have to alter the configuration based on
the blackhole data received.  This could be a human being.  This could
be automated code (running on something other than a Cisco router). 
(This also assumes that your connections to your peers/upstreams are
large enough that they are not signifigantly impacted by the load of a
smurf attack.)

[1] Specifically, there is no configuration command to vary the
contents of an access list based on received BGP routing information,
which means there is no way to route-map with a "match" that adapts to
information from BGP.

I think that (1) Public shame is a good method of attack on this
problem, and (2) A realtime BGP feed is probably a waste.

          - Brett  ([email protected])
                               ... Coming soon to a      | Brett Frankenberger
.sig near you ... a Humorous Quote ...                   | [email protected]