North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SMURF amplifier block list

  • From: Stephen Sprunk
  • Date: Tue Apr 14 17:50:38 1998 
Aaron Beck wrote:
> 
> Im kind of under the impression that we're (ok, just me, but anyone
> else is welcome to jump on this bandwagon) trying to point out that
> class based thinking.. or even "well, most of the net is this" thinking is
> probably a bad idea. 

The fact is that a /24 is far more dangerous as a smurf amplifier than a
/30.  Simple math tells you that there's 127 times as many possible
hosts hitting you.

> Kludges n' hacks may work most of the time, but
> kludges and hacks are just that.. kludgey and hackish.  Hard coded
> defines, precompiled bins, etc have proven to be a less elegant method in
> other areas of the computing world... why should we repeat the same kind
> of mistake in the networking field? 

Who suggested putting a x.x.x.255 filter into IOS itself?  An
access-list in a config is hardly hard-coding.

> A smurf attack is just that, a smurf
> attack.  Wouldnt the overall goal include removing the attack possibility
> in its entirety, not just a temporary solution that may solve some of the
> problems, but definetly not all of them?

If you have a suggestion for "removing the attack possibility in its
entirety," please tell us.  So far, nobody's come up with one.

In the meantime, I'd rather solve 99% of the problem and deal with the
remaining 1% than sit around arguing about "class based thinking" and
"stereotypical ideologies" in between smurf attacks.

> Assuming that most of the net is based on /24s, and that smaller subnets
> are generally internal to those /24's may be a safe assumption, but once
> again its probably not the best way to think about this problem (not that
> I have any hints on what the best way should be, but im fairly certain
> that applying a stereotypical ideology to this is "not a good thing").

Look at the list of IP addresses used in any smurf attack, and they will
almost always be class C or class B broadcast addresses, usually the
address of a NAP or well-connected ISP.  There's no sense targeting a
solution for a problem which doesn't exist.  Solve the general case and
buy time for the more specialized ones.

> just my two bits and a lot of run on sentences.

Stephen

-- 
Stephen Sprunk      "Oops."                 Email: [email protected]
Sprint Paranet        -Albert Einstein      ICBM:  33.00151N 96.82326W