North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
spare swamp space?
I'm currently working on a project to help reduce the impact of smurf attacks on our IRC server. Part of the plan requires a /24 of swamp space. Since I'm sure ARIN wouldn't even consider assigning anything out of the swamp or anything that small, I'm wondering if any of you might have one that you're not using and would consider transferring to me. Since I'm sure questions will arise, and this is operational related, I'll share the plan. Most smurf attacks we receive are directed at our IRC server (imagine that). We offer IRC service to both our customers and the outside world. Our customers are not only on our network, but also on several other wholesale dialup providers. To minimise the impact of a smurf attack against our IRC server we will split the server off into 2 servers, one for the outside world and one for our customers only. The public server will be connected via a T1 to a smurf tracing friendly transit provider for external connectivity. This T1 will be used for this purpose only and not be part of the rest of our infrastructure (which is made up mostly of T3's to transit providers for our external connectivity). The public server will use an address assigned by the upstream. There will be a private network connection over Ethernet between the public and private servers. The private server will be connected to the rest of our infrastructure and will use an address out of swamp space. This swamp space will only be advertised to our wholesale dialup providers on a private peering setup so only machines attached to these providers will be able to reach the private irc server. So how does this work? Well, the typical attacker will launch his smurf attack against irc.mindspring.com. irc.mindspring.com resolves to an address within that swamp space I discussed. When the echo-reply from a far off network without "no ip directed-broadcast" gets sent, it has nowhere to go because their upstream doesn't have a route for it. So what happens if they attack the public server? The public server, since it's separated from the rest of our network will at least not effect our customers, only people connected to our public irc server from the outside world. So why don't you just use private IP space? That would require that we and our wholesale providers agree on a private block to use for this purpose. Even if this can be done, if/when we add another wholesaler, who's to say if they will agree to that space as well? Well, you could use NAT between private space in your network and your wholesalers, you say?. I'm trying to keep this as simple and inexpensive as possible. While I'm sure NAT would work fine, I'd like to avoid it if possible. So, any takers? Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. [email protected] ICQ: 2269442 Stop Smurf attacks! Configure your router interfaces to block directed broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.