Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Broadcast pings.

  • From: Phil Howard
  • Date: Tue Dec 23 18:50:09 1997

Joe  Shaw wrote:

> I had a customers link go down because they were the target of a smurf
> attack a few weeks ago, and when I was sniffing the link to find out what
> was going on, I found tons of packets coming from root nameservers, .gov
> sites, and other places.  If I hadn't been at a terminal, I'd have done a
> better job of logging them when it happened.  As it stands, I just turned
> off ICMP into my routers for a few hours and all was well.  What I would
> have given to have had a dedicated sniffer so I could have done a better
> job of logging.

Although this could double the load on routers, I think this could still
be a valuable feature on the Internet, if all routers had it.  There do
remain some technical problems with it that need to be worked out, but
I hope you can see what I am getting at, and maybe with that idea in mind
a way can be found to make this work.

When a packet arrives, take note of the interface and gateway it came from.
Check the route tables for where a reply to this packet could be delivered.
Don't choose only the best route, but compare where the packet came from
with all valid reply routes (except broad defaults larger than a certain
size that can be configured).  If the packet came from where it is valid
to reply, then allow the packet to proceed.  If not, then discard it (an
ICMP probably won't make it back to the right place anyway).

Those who are faking source addresses will have a tougher time when such
a feature in place throughout the net.  At some point their packets are
being injected invalidly, and if the router there is doing this, it can
discard the attempt.

One problem could be in layer 3 switches which might have only the best
route.  It would then not handle an asymmetric situation.  Switch logic
would have to be extended to handle more than one return route if the switch
is to perform this chore.

Any other ideas on eliminating smurfing and spoofing and such?

-- 
Phil Howard | no22ads0@nowhere6.com w1x6y2z3@anyplace.net end5ads7@dumb9ads.net
  phil      | stop6it0@s5p7a4m3.org stop2104@no9where.edu no6spam3@nowhere0.edu
    at      | no3spam4@anywhere.org stop5it6@spam9mer.com no7spam4@no2place.com
  milepost  | ads1suck@no1where.edu no9way41@nowhere8.net a1b1c5d2@noplace2.org
    dot     | blow6me1@spammer2.edu eat0this@noplace8.net ads8suck@s2p2a0m9.com
  com       | end4ads1@spammer0.com suck5it1@lame8ads.org stop1ads@no28ads4.org




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.