North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SMURF amplifier block list - READ THIS
On Tue, 14 Apr 1998, Karl Denninger wrote: > So I send one packet over my ISDN line, and the amplifier sends 200 copies > of it to the victim. I can effectively multiply the bandwidth of my 128kbps > circuit 200-fold, which is TWENTY FIVE MEGABITS of bandwidth (!) > > Now, since I am smart, I use an ICMP ECHO with a payload of all zeros. > STAC compresses this 1024-byte packet about 10:1, since its all one byte. > I can now source ~90Mbps from an ISDN connection! This makes even a modem > dial connection quite dangerous in that with compression and careful > selection of the payload you can source ~10-20Mbps of smurf from a MODEM. This isn't quite as bad as it sounds, because in nearly all cases, the *OUTGOING* bandwidth from the amplification network will be *MUCH* less then the aggregate traffic produced by all the devices on the amplification LAN. So what ends up happening in most cases, is that 20-90Mpbs of traffic slams into the router interface capable of only 1.5/3/6/9Mbps of outgoing traffic. Still, though a modem or ISDN connection being able to summon 1.5-9Mpbs is quite a problem. > The *ONLY* long-term fix for smurfing is to prohibit directed broadcasts, so > that amplification of the attack cannot be done. The only means available This is not the *ONLY* long-term fix. There has been very little mention of anti-SPOOF measures in this thread which is surprising. Granted, blocking directed broadcasts from entering your network prevents you from being the "mid-point" of the attack. The fact is that the SMURF attack couldn't even get off the ground if the ISP for the "evil d00d" validated *OUTGOING* traffic, effectively blocking IP SPOOFing. I would say that the scope of the IP SPOOFing problem is greater then any other problem. IP SPOOFing is *THE SOURCE* of all the major problems: SYN-FLOOD TEARDROP and variants SMURF What's Next??? Solutions: Validate all traffic leaving your networks to be sure the IP source is from one of your networks. Everyone from the tier 1 providers on down should write that requirement into all their connection agreements. Further, the fact is that nearly *ALL* such attacks (attacks that use IP-SPOOFing as a requirement) are launched from dial-up connections. If would be relatively easy to have a *DRAMATIC* reduction in attacks if the dialup equipment vendors would release software updates with *DEFAULT* anti-spoof filters applied to dialup connections. Put some pressure on your vendors, nearly all dialup ports are made by either Lucent/Livingston, Ascend, and 3COM/USR. I've been asking Livingston for two years for this feature. Dax Kelson Internet Connect, Inc.
|