Anarchy Eroded: Project Efnext

Andrew Alston andrew at security.za.net
Tue Jan 2 21:36:38 PST 2001


The answer to this question is actually fairly simple, it is VERY easy to
block smurfing in the form of amplification, I.E that is to say that you can
stop yourself being an amplifier, this helps your outgoing bandwidth.
However, to stop yourself being smurfed you have to stop all incoming ICMP
Echo Reply packets coming into your host at your upstream, because what you
are getting from a smurf are NOT ping request packets, they are ICMP echo
reply packets coming from other amplifiers, which means you could be getting
ICMP echo reply packets from 10 thousand + hosts at a time, and there is
little you can do to block it other than have your uplink firewall it.  The
problem is that by the time the ICMP reaches the uplink, the uplink has
probably been saturated, or at least is upset enough over their loss of
bandwidth to possibly cut your connectivity.  It is pretty pointless
blocking ICMP echo replies on the IRC server itself as well, because by the
time the packets get dropped at the server, they have already passed over
the lines and saturated the lines.

Kinda sad hey?

Andrew Alston

-----Original Message-----
From: owner-cypherpunks at minder.net
[mailto:owner-cypherpunks at minder.net]On Behalf Of Ray Dillinger
Sent: Tuesday, January 02, 2001 6:08 PM
To: Andrew Alston
Cc: cypherpunks at cyberpass.net
Subject: RE: Anarchy Eroded: Project Efnext




On Tue, 2 Jan 2001, Andrew Alston wrote:

>Further more, IRC does NOT take that much bandwidth, there is a myth that
>efnet NEEDS OC3 links etc because of the traffic that is passed across it,
>what people dont say is that the servers actually only run at between 1 and
>2 megabit/second if you remove the traffic from DDOS and attacks like
smurf.

I have a question: given that half the bandwidth and almost all
of the spike bandwidth is devoted to smurfing, why don't IRC
servers just block multicast ping? I mean, okay, so it's in the
kernel code instead of being a separate application.  It still
shouldn't be hard to come up with a patch that killed smurfing.

Pings should never be forwarded to multiple hosts.

				Bear








More information about the cypherpunks-legacy mailing list