[31474] in North American Network Operators' Group
Re: netscan.org update
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Mon Sep 25 01:01:26 2000
Message-Id: <5.0.0.25.2.20000925004317.0198f538@127.0.0.1>
Date: Mon, 25 Sep 2000 00:49:15 -0400
To: nanog@merit.edu
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <Pine.SOL.3.96.1000924135820.6250D-100000@secure>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 02:01 PM 9/24/2000 -0700, Bill Woodcock wrote:
>
>It's sounding like what we're working our way around to is that two
>separate BGP feeds would be needed:
>
>1) One with an announcement of all of the /32s which are broadcast
>addresses of amplifier networks, so that operators can route traffic
>_destined_ for those /32s to Null0.
As has been mentioned, this is not really useful if you filter on spoofed
source IP addresses. Which everyone is doing - RIGHT?
Not to mention is offers absolutely no incentive for the amplifier site to
change.
>2) Another with an announcement of all of the whole blocks of amplifier
>addresses, so that operators who choose to can create policy-routes which
>specify that traffic _originating_ from those addresses (and which are
>_also_ ICMP echo-replies, perhaps) gets policy routed to Null0.
I actually think that filtering prefixes such that you cannot send traffic
*to* smurf amplifier networks would help, and be far less expensive (CPU
wise). It would be trivial to null-route amplifier prefixes, and if enough
networks subscribed to the service, the amplifier sites would notice very,
very quickly - in much the same way people on the BGP RBL notice.
Woody's suggestion only stops a smurf from hitting your LAN, after filling
your WAN, and the amplifier site has no idea it happened. Well, if you
implement the _also_ part. Without the echo-reply line in your policy
route statement, it is functionally equivalent to my previous paragraph (no
TCP between you and amplifier sites), except that you do not let the smurf
hit your LAN. And to be honest, I have always been worried about filling
my telco circuits than my ethernet switches.
> -Bill
TTFN,
patrick
