North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Huge smurf attack

  • From: Alex P. Rudnev
  • Date: Mon Jan 11 14:23:30 1999

The only way to prevent most of such attacks is to have STRICT 
RESTRICTION for frauding SRC addresses over most of ISP.

While most ISP (including the greatest scientific and education networks) 
does allow any their user to sent packets with foreint SRC address, no 
any chance to stop this kind of computing hooliganian. Fortunately (!) 
for now it's not more than children's games, but what's if   
someone try to use it as a weapon...  the result can be terrible. 

What's about this strange 10.xxx addresses - it can be (1) frauded 
addresses (I don't think so), and (2) someone have their non-public 
network working in the global address space (withouth external routing 
for INCOMING packets but with the possibility to send packets).

The other way (not too good one but the only while there is not strict 
filtering policy) to prevent this is to have some kind of stamping 
allowing to backtrack frauded packets over the ISP.




On Mon, 11 Jan 1999, Dalvenjah FoxFire wrote:

> Date: Mon, 11 Jan 1999 10:13:51 -0800
> From: Dalvenjah FoxFire <[email protected]>
> To: Jeremiah Kristal <[email protected]>
> Cc: Phil Howard <[email protected]>, [email protected],
>     [email protected]
> Subject: Re: Huge smurf attack
> 
> On Mon, Jan 11, 1999 at 12:14:04PM -0500, Jeremiah Kristal put this into my mailbox:
> 
> > On Mon, 11 Jan 1999, Phil Howard wrote:
> > 
> > <<snip discussion about how clueful operators filter RFC1918 addresses>>
> > 
> > Granted it's not that large an amplifier, but it seems odd that
> > even an RFC1918 network would be used as an amplifier for this long
> > without someone finding and securing it.
> 
> If that were true, we wouldn't have smurf attacks at all. There are
> still many, many clueless or otherwise incompetent ISPs and/or companies
> out there (many of whom are large ISPs and/or telcos who should know better
> but don't) who have many, many smurf-amplifier netblocks. Heck, the US
> Military has half of the entries at netscan.org (and they're supposedly
> the ones worried about "cyber-terrorism").
> 
> I've come to the unfortunate conclusion that very few people seem to care
> about system and network security until they are directly affected because of
> something they neglected. If it were otherwise, you wouldn't see "well-known"
> sites such as Yahoo, the NY Times, starwars.com &etc. getting hacked
> week after week.
> 
> Much as I hate to say it, this seems to be one area where industry
> self-regulation has utterly failed. I don't know what would be a better
> solution; I hate to suggest government regulation. But I'm at a loss here.
> 
> -dalvenjah
> 
> -- 
>  Dalvenjah FoxFire (aka Sven Nielsen)    May the schwartz be with you!
>  Founder, the DALnet IRC Network
>  
>  e-mail: [email protected]            WWW: http://www.dal.net/~dalvenjah/
>  whois: SN90                          Try DALnet! http://www.dal.net/
> 

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)