The MAPS SAL Project

Or, how to encourage people to type “no ip directed”, or to ritually

desecrate their Proteons.

Avi Freedman, Net Access

The Problem (1)• Tens of thousands of networks and subnets

allow directed broadcast.• Thus, pinging to x.y.z.0 or x.y.z.255 can return

a few, or tens or hundreds, of responses.• Combined with forged-source address, it’s

trivial to attack someone you don’t like. A dialup line can generate tens or hundreds of megs of smurf.

The Problem (2)

• This has been the case for many years, but it became a big problem once IRC-weenies figured it out.

• Tracking forged-source is very hard and requires (hi, Sean) intense and quick inter-provider cooperation.

• ISPs get smurfed for having certain dialup users, and then get smurfed if they kick off those same users.

The Traditional Solution

• The traditional solution is to use CAR to rate-limit ICMP to given destination(s), on all border interfaces.– access 155 permit icmp any any– int f0/0/0– rate input acc 155 90000 64000 64000 conf tr exc dr

• or– access 155 permit icmp any 207.106.4.0 0.0.0.255– int f0/0/0– rate input acc 155 90000 64000 64000 conf tr exc dr

• sho int rate shows you the progress...

Traditional Solution, ctd.

• Once you staunch the flow of crud, typically you can monitor the flow to see what smurf “amplifiers” are being used, and try to contact these amplifiers.

• Problem - most of the ones out there either have no contact info, or have rejected fixing the problem already.

• Still, some can be educated.

Still, a Problem

• This helps get useful work done if you have lots of excess capacity to peers and upstreams.

• Unless you pay on a usage basis.

• Some upstreams will help, some won’t.

• Some upstreams can’t feasibly do border-CAR; some just want to charge you.

The Ideal Solution

• The ideal solution would be {for everyone} to install filters to prevent forged IP source addresses from ever being generated!!!!!!!

• Big problem - too much load on wimpy VIP2/50s.

• The SAL project addresses this less directly, both for routers and for hosts.

The Plan (1)

• SAL is distributing a black-hole feed of smurf amplifier nets via BGP.

• Nets can be automagically withdrawn by entering their netblock after fixing their smurfiness.

• People can use it as a BGP RBL, or preferably, to generate host or router filters with code SAL will supply.

The Plan (2)

• The web sites explaining the system will not be behind the SAL BGP feed, so people inside blocked networks can get information and even submit themselves for removal.

• For new smurf amplifiers, attempts will be made to communicate with them and with their upstreams first.

• SAL routes will not be listed publicly.

Our Goal

• The goal is to eliminate smurf amplifiers as a source of difficulty. Single-source UDP or ICMP slams are much easier to track down…

• Short-term, we are seeking to get about 10% of the net using SAL; both web hosters and small and regional ISPs.

How it Works

• We have an online database of smurf amplifiers, with date entered, source, etc…

• That ties into custom BGP code with some of that data represented in communities.

• People participate by eBGP multihop peering with AS XXXX and setting next-hop to loopback. Routes have no-export set.

Operations

• Being run by the fine folks at MAPS.

• Modest fee to the MAPS folks to participate (note: noone will be turned away for monetary reasons.)

• Info requests to sal-interest@maps.vix.com; user questions to sal-users@maps.vix.com; NOC issues to sal@maps.vix.com.

Problems with our Proposal• Some feel it is too punishing of the smurf

amplifiers. Let’s all work towards educating customers, and work with them to fix their configs.

• Major networks can’t adopt it because they serve too many smurf amplifiers. Anyone with a few thousand routes is probably hosting tens of them. We are addressing this by putting advertising ASs into route communities.

Current Status

• An operational site with an operational remove list and an operational feed, but the service is still in alpha, with < 10 sites.

• Still in beta for participation, and are still working on legal documents.

• > 4gb/sec of peak traffic using the service.

• MAPS, with a few individuals as backup, to deal with operational issues.

We’re Looking for...

• Volunteers to assist with communication with smurf amplifiers before they are placed on the black-hole list.

• Sites to use the SAL service, both small and large.

• People to educate their smurf amplifier customers.

We’re Looking for...

• Feedback about smurf amplifiers being used in active smurf attacks.

• Technical and policy feedback.

Resources

• http://maps.vix.com/sal/

• http://www.smurfblock.net/

• http://www.netscan.org/

• sal-interest@maps.vix.com

• freedman@netaxs.com