SMURF amplifier block list

Hank_Nussbacher2 · April 14, 1998, 9:23am

Why wouldn't this work (on IOS 11.3 at least):

a) pick an unused interface (shutdown):

inter s0/2
ip address 192.168.1.5 255.255.255.252
shutdown
ip route 192.168.1.0 255.255.255.0 Null0 254

b) Say the spammer is 220.88.182.128/27:

access-list 20 permit 220.88.182.128 0.0.0.31
route-map spam-filter permit 10
match ip address 20
set ip default next-hop 192.168.1.6

c) On your Fast Ethernet - or whatever interface you use to feed pkts to
your outgoing lines:

int fa1/0
ip policy route-map spam-filter

All outgoing pkts to 220.88.192.128/27 now should go to Null0. I am sure
one can improve on the logic even more.

-Hank

Forrest_W_Christian · April 14, 1998, 9:31am

Exactly. All OUTGOING packets. Not Incoming. Not the smurf attack
packets which are swamping your downstream customer, which have a source
address from 220.88.192.128/27.

I will concede that shutting off connectivity to a site by a large enough
chunk of the net should get someone to fix stuff.... But part of the
advantage of the MAPS RBL BGP feed is that it helps to cut down spam
coming into your network. A BGP feed TODAY won't block a ping
amplification attack aimed at your network or a downstream. All it will
do is prevent your customers from using the ping amplification networks to
launch an attack. And, if you have the appropriate anti-spoofing filters
in place, they shouldn't be able to attack anything other than the valid
source addresses you have in your outbound filter set.

- Forrest W. Christian (forrestc@imach.com)

Jason_Lixfeld3 · April 17, 1998, 7:18pm

Why not just block them at your interface with an access-list (firewall)
filter?

Dean_Anderson · April 17, 1998, 10:33pm

:I will concede that shutting off connectivity to a site by a large enough
:chunk of the net should get someone to fix stuff.... But part of the
:advantage of the MAPS RBL BGP feed is that it helps to cut down spam
:coming into your network. A BGP feed TODAY won't block a ping
:amplification attack aimed at your network or a downstream. All it will
:do is prevent your customers from using the ping amplification networks to
:launch an attack. And, if you have the appropriate anti-spoofing filters
:in place, they shouldn't be able to attack anything other than the valid
:source addresses you have in your outbound filter set.

MAPS RBL BGP feed blocks all traffic back to a given network, after a
spamming event. It doesn't do too much to stop an in progress event, since
it doesn't respond that quickly with updates. (part [most?] of the delay is
Vixie's investigation) Its effective because it puts a lot of pressure on
networks that hosts spammers to make sure it doesn't happen again. Thus,
it tends to reduce spam.

Likewise, a Smurf BGP feed won't stop an in-progess attack, but it will put
a lot of pressure on smurfable networks to make sure they aren't smurfable
in the future. And thats a pretty good tool, even if its not 100%
effective.

--Dean