Solution: Re: Huge smurf attack

Actually, I think all major providers use automatic provisioning systems
which generate router configs. They don't need to rely on router vendors to
set particular defaults. If all major providers made sure their
provisioning systems turned off directed broadcast, a lot of the problem
would go away.

So "Router defaults" is a lame excuse for ISP's. Even little ISP's have a
list of things they have to setup, (eg ip classless, subnet zero, etc)
which have "legacy" or otherwise inappropriate defaults.

And yes, some customers may in fact want or need directed broadcasts on.
For example, if they are subnetting. In that case, you change it for them.
I tell our customers certain things are turned off by default, and if they
really want it on, they will need to ask.

Of course, the problem remains that some smurfers are undoubtedly on this
list, possibly working for major providers. (This is my guess as to source
of the 10.x smurf amps.)


Leaking rfc1918 onto the public internet is not acceptable, directed
broadcasts enabled or not.


We don't ask our vendors to provide equipment with directed broadcast
turned off by default for our own use or use by any clueful operator. The
reason we require directed broadcast to be turned off by default is so
that when a less-than-clueful operator gets a hold of the same box, they
don't become yet another smurf amplifier that ends up being used to attack
us. If and when I have the leverage with a vendor to get this implemented,
I use it, every single time.

Brandon Ross Network Engineering 404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc.
                                                            ICQ: 2269442

Stop Smurf attacks! Configure your router interfaces to block directed
broadcasts. See for details.