spare swamp space?

Mailman List Mirror (Read Only)
1

I'm currently working on a project to help reduce the impact of smurf
attacks on our IRC server. Part of the plan requires a /24 of swamp
space. Since I'm sure ARIN wouldn't even consider assigning anything out
of the swamp or anything that small, I'm wondering if any of you might
have one that you're not using and would consider transferring to me.

Since I'm sure questions will arise, and this is operational related, I'll
share the plan. Most smurf attacks we receive are directed at our IRC
server (imagine that). We offer IRC service to both our customers and the
outside world. Our customers are not only on our network, but also on
several other wholesale dialup providers. To minimise the impact of a
smurf attack against our IRC server we will split the server off into 2
servers, one for the outside world and one for our customers only. The
public server will be connected via a T1 to a smurf tracing friendly
transit provider for external connectivity. This T1 will be used for this
purpose only and not be part of the rest of our infrastructure (which is
made up mostly of T3's to transit providers for our external
connectivity). The public server will use an address assigned by the
upstream. There will be a private network connection over Ethernet
between the public and private servers. The private server will be
connected to the rest of our infrastructure and will use an address out of
swamp space. This swamp space will only be advertised to our wholesale
dialup providers on a private peering setup so only machines attached to
these providers will be able to reach the private irc server.

So how does this work? Well, the typical attacker will launch his smurf
attack against irc.mindspring.com. irc.mindspring.com resolves to an
address within that swamp space I discussed. When the echo-reply from a
far off network without "no ip directed-broadcast" gets sent, it has
nowhere to go because their upstream doesn't have a route for it.

So what happens if they attack the public server? The public server,
since it's separated from the rest of our network will at least not effect
our customers, only people connected to our public irc server from the
outside world.

So why don't you just use private IP space? That would require that we
and our wholesale providers agree on a private block to use for this
purpose. Even if this can be done, if/when we add another wholesaler,
who's to say if they will agree to that space as well?

Well, you could use NAT between private space in your network and your
wholesalers, you say?. I'm trying to keep this as simple and inexpensive
as possible. While I'm sure NAT would work fine, I'd like to avoid it if
possible.

So, any takers?

Brandon Ross Network Engineering 404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com
                                                            ICQ: 2269442

Stop Smurf attacks! Configure your router interfaces to block directed
broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.

2

Hello,

  While IRC is just a game its an interesting game to watch and play.
There are other ways to defend (successfully) your IRC server from outside
attacks including smurf, fraggle and whatever other program comes from the
fingers of bored kids with no lives. I've helped PSI and other providers
running IRC servers to better protect their servers (and sometimes their
networks), and I am happy to work with you (or anyone else on that note) on
how to defend yourself against large IP based attacks. Please let me know
if i can be of service.

  -Steve

3

I'm currently working on a project to help reduce the impact of smurf
attacks on our IRC server. Part of the plan requires a /24 of swamp
space. Since I'm sure ARIN wouldn't even consider assigning anything out
of the swamp or anything that small, I'm wondering if any of you might
have one that you're not using and would consider transferring to me.

*SNIP*

So what happens if they attack the public server? The public server,
since it's separated from the rest of our network will at least not effect
our customers, only people connected to our public irc server from the
outside world.

So why don't you just use private IP space? That would require that we
and our wholesale providers agree on a private block to use for this
purpose. Even if this can be done, if/when we add another wholesaler,
who's to say if they will agree to that space as well?

Personally, I would go with this option. That's what the space is for. I
can't imagine it being that terribly difficult to negotiate this with your
upstream(s), and if you need to change, it should be fairly trivial.
Otherwise, why not just get real space from your upstream(s) and have them
blackhole the route at their borders?

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Patrick Greenwell (800) 299-1288 v
         Systems Administrator (925) 377-1212 v
                           NameSecure (925) 377-1414 f
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

4

> So why don't you just use private IP space? That would require that we
> and our wholesale providers agree on a private block to use for this
> purpose. Even if this can be done, if/when we add another wholesaler,
> who's to say if they will agree to that space as well?

Personally, I would go with this option. That's what the space is for. I
can't imagine it being that terribly difficult to negotiate this with your
upstream(s), and if you need to change, it should be fairly trivial.

One of the wholesaler's we use in particular will probably make this next
to impossible. I feel no need to mention names here, but they have been
very uncooperative in the past and I don't expect them to act any
differently in this situation.

Otherwise, why not just get real space from your upstream(s) and have them
blackhole the route at their borders?

That's an interesting idea, and perhaps I'm missing something, but the
only way I can think of that this could be done would be for the provider
who has assigned this space to put a static route in every single one of
their border routers. That is assuming that they assign me a block out
of a larger announcement which would almost certainly be the case (unless
they happened to have some swamp space they could give me). I doubt they'd
be willing to do that since it's certainly not very scalable.

Brandon Ross Network Engineering 404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com
                                                            ICQ: 2269442

Stop Smurf attacks! Configure your router interfaces to block directed
broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.