Solution: Re: Huge smurf attack

Harold_Willison · January 14, 1999, 5:46pm

Brandon_Ross1 · January 14, 1999, 11:27pm

I don't necessarily agree. Going forward we require new vendors to be
able to:

1. trace spoof address based attacks in a reasonable time
2. block spoofed attacks from coming from their customers
3. have a mechanism to repair or block amplifying addresses owned by their
customers

If the vendor won't commit to doing these things, we will not buy service
from them. Ask my UUNet rep, she'll testify to this. UUNet is losing a
potential $200,000 a month because they are not capable of tracing spoofed
attacks. Instead I give my business to GTEI and Digex because both
companies have been very cooperative when asked to do these traces.

Anyway the point is that when money is involved, leverage is available.
These things can be fixed, it's just a matter of applying the right
pressure.

Brandon Ross Network Engineering 404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com
ICQ: 2269442

Stop Smurf attacks! Configure your router interfaces to block directed
broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.

Steve_Sobol1 · January 16, 1999, 5:35pm

Oh, good... then if they refuse to fix their problem, and it can be documented
that they refuse to fix their problem, and someone uses them as an amplifier,
they can get sued. I hope we have some documentation that these people refuse
to do anything.

Steve_Sobol1 · January 16, 1999, 5:37pm

Unfortunately, it is probably a lot easier when your domain is
"mindspring.net" than when your domain is, say, "nacs.net" -- much more $$
involved. That having been said, I do agree with you...

Alex_P_Rudnev · January 16, 1999, 6:14pm

Btw.

For the victim, there is not difference between -
- smurf amplifies abused by the hacker;
- broken box abused by the hacker to create flood attack;
- broken dialup provider abused to send spam.

Don't talk about the smurf, talk about badly-secured systems. Open
direct-broadcast is one example; open SMTP relay is another one;
non-fixed exploit abused to get root access is the third example.

This common case is - _someone does not secure his box/lan from abuse;
what should we do_.

The forths case is (not yet) - ISP does allow to send frauded SRC
addresses.