Sorry, I am a newby, could you describe what "smurf" is ? I am guessing it is a utility but I am not certain. Thanks -----Original Message----- From: owner-firewall-wizardsat_private [mailto:owner-firewall-wizardsat_private]On Behalf Of Bennett Todd Sent: Wednesday, February 16, 2000 12:56 PM To: Marcus J. Ranum Cc: firewall-wizardsat_private Subject: Re: Recent Attacks I may be a cad and a barbarian, but I'm less concerned with identifying who's doing it, and more concerned with making the attacks harder to mount, and easier to stop. I very strongly believe that one step will do a great deal to reduce the severity of this problem (e.g., it would essentially stop the current tools, and make any replacements far, far less effective), and that's to make ingress filtering universal. While route-based packet filtering, to toss forged source addrs, is very hard if not impossible once the packet enters the core routers, when it's passing through the border router, the router that has a simple static route for the LAN the packet originated on, the filtering is trivial to implement. Some routers (e.g. Linux) can be switched to do it automatically, with no configuration changes necessary as the routing environment changes. I expect that will be a required feature in routers very quickly, and not long after that we'll start seeing blacklists, to help you block nets that don't do ingress filtering right at your routers. Allowing forged source addrs in and out of your nets is bad hygiene. And if DDoS attacks couldn't used forged source addrs, they couldn't use smurf to amplify their effects, and they couldn't be reused at all; the moment a victim starts capturing packets, they'd have the source addrs of all the machines in the attackers DDoS net --- and building those nets remains the relatively hard prep work for mounting one of these attacks. If we had universal ingress filtering, the moment someone started launching one of these the victim could start contacting the compromised sites, and if they refused to address their problem they could request that the streams by blocked by the compromised sites' providers. Right now, only some nets nets have ingress filtering --- those run by competant and knowlegeable networks admins who care about security. But I think it will not be long before running without ingress filtering is as unacceptable --- and gets you blacklisted as hard and fast --- as running an open relay email server. -Bennett
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:10 PDT