[14425] in North American Network Operators' Group
Re: smurf, the MCI-developed tracing tools
daemon@ATHENA.MIT.EDU (Dax Kelson)
Sun Dec 28 23:26:05 1997
Date: Sun, 28 Dec 1997 21:17:28 -0700 (MST)
From: Dax Kelson <dkelson@inconnect.com>
To: nanog@merit.edu
In-Reply-To: <199712280610.BAA19365@shell.monmouth.com>
> Adrian wrote:
> > But this way, people can only spoof IPs from their own block, and not
> > random addresses. It would kill smurf attacks, make tracing a tad(?)
> > easier, etc, etc. And as I've mentioned before, not all types of floods
> > are ICMP attacks. If you filter ICMP, then I'll start flooding with
> > spoofed source addresses TCP packets with random sequence numbers and from
> > IPs. What, you're going to ask routers to track all the TCP connections
> > going through them now for validation? Erm, how many CPUs more are we
> > going to need..? :)
Something else that needs to be done is we need DEFAULT anti-spoof filters
on all dialin boxes such as those made by Livingston, Ascend, USR, etc.
When a customer calls in and gets assigned an IP address the box should
automatically apply an anti-spoof filter to that port dropping any
packets with an IP source different than the one assigned.
Of course you need a way to overide that for customers who have networks
routed to them. The box could the RADIUS "Framed-Route" entry as a hint
to which networks to forward IPs from.
I've had an RFE in with Livingston for over a year to get that added to
ComOS.
Dax Kelson
Internet Connect, Inc.
