Smurf tone down

Hello,

To help quench the effects of smurf attacks on our network, we CEF-CAR all
ICMP on our egress points to about 200% of normal ICMP flows.

However, when a upstream becomes full of ICMP (even though we dump most of
it), it still affects our external connectivity.

My question is, why don't larger upstream providers use CEF-CAR (assuming
that most use this) do the same to limit the effect of smurf attacks on
thier (and subsequently, thier customers') networks?

The floor is open for flames.

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
     Atheism is a non-prophet organization. I route, therefore I am.
       Alex Rubenstein, alex@nac.net, KC2BUO, ISP/C Charter Member
               Father of the Network and Head Bottle-Washer
     Net Access Corporation, 9 Mt. Pleasant Tpk., Denville, NJ 07834
Don't choose a spineless ISP; we have more backbone! http://www.nac.net
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

After dealing with UUNet security regarding several smurf incidents I
asked them this same question. Their response (and I'm sure it would be
the same response of others) was that a lot of the routers on their
network couldn't handle the load of using CEF-CAR to limit smurf attacks.
I'm not sure how true that statement was since I'm not familiar with any
part of UUNet's backbone equipment other than what I used to get my DS3
from at Insync and now with my MAE Houston connection, but from what I've
heard the backbones of a lot of NSP's aren't all made up of Cisco 12000's
or even 7500's, and I'd guess a fair amount of the existing routers out
there are borderline overloaded since it's next to impossible to get most
backbone providers to filter traffic when you're under attack. UUNet
certainly wouldn't for us because of "router CPU overhead" last time I was
under attack.

Just my $.02...

The explanation I got from uunet regarding smurf attacks and why they
dont shut down their smurf amplifiers when notified repeatedly about
them, is that their ascend tnt's dont support icmp filtering.

-Dan

* Dan Hollis (goemon@sasami.anime.net) [990501 08:35]:

> After dealing with UUNet security regarding several smurf incidents I
> asked them this same question. Their response (and I'm sure it would be
> the same response of others) was that a lot of the routers on their
> network couldn't handle the load of using CEF-CAR to limit smurf attacks.

The explanation I got from uunet regarding smurf attacks and why they
dont shut down their smurf amplifiers when notified repeatedly about
them, is that their ascend tnt's dont support icmp filtering.

-Dan

I had a different view for the worldcom pops. as they got customers with
sub-t1 and t1 they connect it to smaller devices and digger ones to
cisco 7513 / b - stdx and fore switches.

Nevertheless some URL pointing the uunet structure of a gigapop:

http://info.uu.net/tv/unite/low/hubs.html

Jan

After dealing with UUNet security regarding several smurf incidents I
asked them this same question. Their response (and I'm sure it would be
the same response of others) was that a lot of the routers on their
network couldn't handle the load of using CEF-CAR to limit smurf attacks.

"the load" ?

The point of CAR is that is happens in the CEF path, with no/negligible (1
to 2%) additional load. Are UUNet's routers running that close to the
edge? I'd doubt it.

I'm not sure how true that statement was since I'm not familiar with any
part of UUNet's backbone equipment other than what I used to get my DS3
from at Insync and now with my MAE Houston connection, but from what I've
heard the backbones of a lot of NSP's aren't all made up of Cisco 12000's
or even 7500's, and I'd guess a fair amount of the existing routers out
there are borderline overloaded since it's next to impossible to get most
backbone providers to filter traffic when you're under attack. UUNet
certainly wouldn't for us because of "router CPU overhead" last time I was
under attack.

What does a 'sho cdp nei' show on your uu-net connecting router?

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
     Atheism is a non-prophet organization. I route, therefore I am.
       Alex Rubenstein, alex@nac.net, KC2BUO, ISP/C Charter Member
               Father of the Network and Head Bottle-Washer
     Net Access Corporation, 9 Mt. Pleasant Tpk., Denville, NJ 07834
Don't choose a spineless ISP; we have more backbone! http://www.nac.net
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --