Posting it here weekly only provides a mechanism for the littele fsckers
that smurf to gain an up to date list of sites to bounce from.
And consequently increases the liklihood that more networks
will refuse traffic to or from these networks, which in turn
increases the pressure on these sites to wonder what is happening
to their connectivity and how to repair it. Which may just solve
the problem.
This is a monumental admission: I think Karl is doing the right thing.
Sean.
and i totally agree. from my perspective, most of the damage has come to
irc servers, but it is also being used as a personal DoS, and i've heard
rumors of attacks on webservers, etc.
craig has done a very admirable thing writing the paper on smurf and it's
udp cousin, and making the url available to all who are willing to hear it.
those who ARE willing and HAVE heard it have already fixed their routers.
now we are dealing with the ones that either don't know any better or don't
care.
if they start getting treated like the spammers, maybe they will wake up
and fix it.
i hope others follow karl in his lead. we all know that this won't be FIXED
til essentially every network in the world is patched. the free time for
fixing it is over. now it is time for there to be some consequences if one
will not fix.
melinda b thompson
However there are a couple of minor flaws that could be fixed.
One is to sort the list by IP address to make it easier for folks to scan
through and see if they recognize any addresses of companies that they
have some contact with. Even better would be to include the netblock names
from whois.arin.net.
And the other is to include the URL of a website that explains how to fix
the problem. This makes it a whole lot easier to explain to people.
P.S. maybe there is a 3rd flaw.... Maybe the list should be posted to
alt.2600 as well? >:->
Another problem. Say I (and others) use this list. How do I know when the
perpetrators fix it? They may contact Karl. Karl may or may not keep the
blacklist alive on nanog 2 years from now. Bad sites gone good are still
blocked from my site. Is there a easy way to independently verify if it's
been fixed?
Even better if someone kept a central list with accountability. Perhaps
you could pay for verified updated access-lists.. prevent SMURF attacks,
emergency DoS attack swat teams for hire, etc.. a 1-2 man consulting
operation.
Stb
Would the vix people have any interest in just adding "being a smurf amp"
to the possible causes for entry in the BGP version of RBL? That way, it
would be harder for the smurf d00dz to get up to date lists.
I suggested this sort of thing a while ago, but don't currently have time
to implement it. The vix people already have everything in place.
Hurray for Karl!
Dirk
Correct.
Note that the way you GET ON THIS LIST is to have BEEN a smurf amplifier.
That is, not a "suspected" one, not one we probed, but a PROVEN source of a
smurf amplification.
And guess how I know that? I'll tell you - one or more of our customer or
internal machines was rendered useless until I identified and blocked EACH
of the networks on the list.
That is, all of these are PROVEN guilty, not suspected guilty. This also
means that any claim that I'm "helping the bad guys" is baloney - the bad
guys, by definition, ALREADY USED THESE NETWORKS to hit us or one of our
customers - that's how they got on the list in the first place!
The only effective means I have to stop this is to start refusing transit
to packets with a source address in the amplifier network(s). Our core
circuits can handle even a dedicated smurfer - there are few who can hit us
with enough punch to melt our core circuits (multiple DS3s are like that).
Our customers, most of whom are on T1s, aren't so lucky - they can be
rendered disconnected quite easily, as can an internal machine on a 10Mbps
switched port.
Blocking these at ingress to our core is enough; not only do we stay
operational with minimal impact, but the intended target suffers no ill
effects - and as a consequence, the people doing this move on to more
"juicy" targets where they can actually cause some damage.
If any significant number of providers start blocking these networks, the
people who own them will have to fix the configuration problems if they
want to continue to be able to talk to the Internet as a whole.
THAT is the intent of the blacklisting around here. Our NOC crew has been
instructed that any complaint from these address ranges is to be referred
directly to me, and that the standard answer is "you're a smurf amplifier
and while Karl will talk to you, if you're calling for any purpose other
than to tell us that you've fixed it you're wasting your dimes".
Heh - since Carl has wasted alot of his time providing a brief list of
sites that he has identified as smurf amplifiers, - and since you brought
up a very good point of creating a more "searchab;e" list with perhaps
some contact information - why don't you apply the needed changes (as you
see the need) - I think Carl has done enough - and i bet whois.arin.net
works just as well for you...
just a thought mind you
Concur.
Anyone want to write a script to back-whois the network contacts, and
set up a web page? I'd do it, but the webserver isn't mine.
Cheers,
-- jra
Ok, I'll offer web hosting for it, and BGP feed (using gated). What
domain name? smurfpolice.net isn't taken.
--Dean
Uh, a BGP feed doesn't do you any good folks. You want to block INGRESS,
not outbound packet flow.
Uh, a BGP feed doesn't do you any good folks. You want to block INGRESS,
not outbound packet flow.
I thought I heard BGP mentioned about 25 messages back as a means to put
more pressure on these networks, by shutting off connectivity to them. It
is also a means to distribute throttling to others during a smurf attack,
say if someone upstream has the feed. I can see that using it might create
more problems, but its also a decision that can be made by the network
provider. I'll just offer a site to run the gated and coordinate changes.
--Dean
Karl Denninger wrote:
Uh, a BGP feed doesn't do you any good folks. You want to block INGRESS,
not outbound packet flow.
Uh. Just modify BGP routes from that feed to have a next hop pointing to a black
hole. route-maps are sometimes useful.
--vadim
Hmmm.. that would work 
i suspect that they're discussing blocking inbound packets from faked
sources of smurf attacks. in this case, protection from outbound routing
info is too late. once the smurf packets gets in your local net, you've
been smurfed.
of course, the idea of blocking smurf spoof sites is pretty specious. how
many folk will go through the effort and burden on the routers to put an
access list in the packet path and yet not be clueful enough to just say
'no ip directed-broadcast' on the same damn edge router insead?
wait a sec. on second thought, don't answer that question.
randy
On the contrary; while it won't have the effect of ingress filters, it
will prevent downstreams of anyone receiving the feed from USING those
smurf sites, and it will disrupt connectivity to them in general. If
enough people adopted the feed, it would have a reasonable effect.
Then again, filtering any packets to or from x.x.x.255 would have a
similar but more profound effect. Anyone who actually uses a .255
address for a host is asking for trouble anyways.
Stephen
Karl Denninger wrote:
Could someone PLEASE explain to me how this is accomplished?
Let's assume that you do use a route-map to set next hop to a null
interface or a black hole or something for a prefix. AND set local pref
appropriately so that route gets preferred.
You now have a routing entry which essentially says:
"forward packets DESTINED FOR the evil network to the black hole".
What you really want is a routing entry which says:
"forward packets FROM the evil network to the black hole".
Now, if someone could enlighten me to a way which you can get BGP to make
a routing/filter entry to do this second one, I'd be most grateful.
BTW, I know you can do this with PERL or config scripts or whatever. The
point is that I don't think that a RBL-like blackhole feed will fix a
smurf attack from the "attacked" perspective, unless I have missed some
knob somewhere.
- Forrest W. Christian (forrestc@imach.com)
of course, the idea of blocking smurf spoof sites is pretty specious. how
many folk will go through the effort and burden on the routers to put an
access list in the packet path and yet not be clueful enough to just say
'no ip directed-broadcast' on the same damn edge router insead?
the same ones that'll spend an entire day discussing it.
wait a sec. on second thought, don't answer that question.
and the ones who never read directions until its too late.
You right that all BGP would do is block traffic to that network. But it
does block *all* traffic to that network. Once the attack is started, it
must either be stopped at the source, or by inbound packet filters.
Not that I'm defending it as completely effective method, but presumably
some of the customers of the smurfable network have the off-hours access
numbers to the noc of the smurfing network, once they notice their
connectivity to elsewhere is lost. Adding a route to a route filter at a
high enough level ought to get some quick attention from the smurfing
network operator. Especially if its their upstream that blocked them.
Things actually break for them, as opposed to just higher network load.
It also prevents your own disgruntled users from launching a smurf attack
against other users on your net, since they won't be able to reach those
networks. At least, not from your machines.
Also, it will prevent a person from launching an attack if someone is
filtering between them and the network.
And it has the advantage of being automatically updated, once a change is
made to the master list.
And I think a route blackhole is probably faster than a permission list.
Not positive, though.
Anyway, I'll offer a site to host the list, and redistribute the list in
hopefully convenient forms. Several people have already volunteered to
help, so its up to you folks to ask for and/or implement convenient forms
of distribution. Whether you want to block all ingress by hand, or just
general connectivity by BGP or some other method is up to you. It is
possible to do both, or neither. The important thing is to get a list and
maintain it. I think we can dump the list into several different forms for
distribution.
--Dean
The whole idea was to block attempts to make SMURF atatck originated from
your network, and this case the black list of addresses to be blocked
(it's the list of broadcast addresses used to amplify ICMP) joined with
the logging such attempts is quite usefull.
Date: Mon, 13 Apr 1998 19:46:29 -0600 (MDT)
From: Forrest W. Christian <forrestc@iMach.com>
To: Vadim Antonov <avg@pluris.com>
Cc: Karl Denninger <karl@mcs.net>, Dean Anderson <dean@av8.com>,
"Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us>, nanog@merit.edu
Subject: Re: SMURF amplifier block list> Uh. Just modify BGP routes from that feed to have a next hop pointing
> to a black hole. route-maps are sometimes useful.Could someone PLEASE explain to me how this is accomplished?
....