Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: smurf amp nets

  • From: Jon Lewis
  • Date: Sat Jun 13 02:23:03 1998

On Fri, 12 Jun 1998, Michael Dillon wrote:

> On Sat, 13 Jun 1998, Jon Lewis wrote:
> 
> > I just recorded 4.5mb of a smurf attack directed at one of my servers. 
> > Here's a list of the networks used as amplifiers and the number of
> > different hosts responding from each network.
> 
> This is not true! According to your list the following networks are   
> *NOT* smurf amplifiers. Please check your data before blacklisting
> innocent people!!!

When did I blacklist anyone?  Jim Flemming _is_ in my .procmailrc...so are
you taking over for him?

All I said was "here's a list of the networks used as amplifiers and the
number of different hosts responding..."  Obviously, any network
responding with 1 ip is not terribly effective as an amplifier, but that
doesn't alter the fact that the attacker attempted to use them as smurf
amps. 

I should probably have trimmed all nets responding with fewer than 2 IPs
since even a cisco with "no ip directed-broadcast" will generally respond
with a source ip of the interface on which the echo request arrived. 

OTOH, these nets might want to consider additional filtering since they
probably get abused in this way with some frequency.  Every version of
smurf.c I've seen has all the amplifier network addresses hardcoded.

BTW...I have a theory for a way to get all or most of the big smurf amp
networks fixed real fast...but doing it would probably get me in big
trouble. 

Also...all the people cc'd on that message had nets with numbers of hosts
responding in the dozens or more. 

------------------------------------------------------------------
 Jon Lewis <jlewis@fdt.net>  |  Spammers will be winnuked or 
 Network Administrator       |  drawn and quartered...whichever
 Florida Digital Turnpike    |  is more convenient.
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.