The answer to this question is actually fairly simple, it is VERY easy to block smurfing in the form of amplification, I.E that is to say that you can stop yourself being an amplifier, this helps your outgoing bandwidth. However, to stop yourself being smurfed you have to stop all incoming ICMP Echo Reply packets coming into your host at your upstream, because what you are getting from a smurf are NOT ping request packets, they are ICMP echo reply packets coming from other amplifiers, which means you could be getting ICMP echo reply packets from 10 thousand + hosts at a time, and there is little you can do to block it other than have your uplink firewall it. The problem is that by the time the ICMP reaches the uplink, the uplink has probably been saturated, or at least is upset enough over their loss of bandwidth to possibly cut your connectivity. It is pretty pointless blocking ICMP echo replies on the IRC server itself as well, because by the time the packets get dropped at the server, they have already passed over the lines and saturated the lines. Kinda sad hey? Andrew Alston -----Original Message----- From: owner-cypherpunks@minder.net [mailto:owner-cypherpunks@minder.net]On Behalf Of Ray Dillinger Sent: Tuesday, January 02, 2001 6:08 PM To: Andrew Alston Cc: cypherpunks@cyberpass.net Subject: RE: Anarchy Eroded: Project Efnext On Tue, 2 Jan 2001, Andrew Alston wrote:
Further more, IRC does NOT take that much bandwidth, there is a myth that efnet NEEDS OC3 links etc because of the traffic that is passed across it, what people dont say is that the servers actually only run at between 1 and 2 megabit/second if you remove the traffic from DDOS and attacks like smurf.
I have a question: given that half the bandwidth and almost all of the spike bandwidth is devoted to smurfing, why don't IRC servers just block multicast ping? I mean, okay, so it's in the kernel code instead of being a separate application. It still shouldn't be hard to come up with a patch that killed smurfing. Pings should never be forwarded to multiple hosts. Bear