Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SMURF amplifier block list

  • From: Alex P. Rudnev
  • Date: Mon Apr 20 07:54:29 1998

> >measurement.
> Oops. I misunderstood this first time round.  I don't think you can easily
> detect smurf initiations, because you have to guess at the broadcast
> address.
It's not difficult to detect SMURF initiators belongs to your own 
customers. For us, it's easy because we have IP accounting at the core 
routers and have some anti-smurf monitoring; 

If you saw ICMP-request packets with the DST address looks as broadcast, 
it's the bell for your noc _let's check where are this packets 
originated_  - and this trace you to the SMURFer at 90% of the cases.

And this address/wildcard_bits assumption makes a 
great approximation for the broadcast addresses.

> I think it is much easier to detect and block forged source addresses,
> which are also necessary for the hacker who is operating out of your
> network.
> 		--Dean
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>            Plain Aviation, Inc        
>            We Make IT Fly!                (617)242-3091 x246
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.