nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement)

From: Phil Howard <phil () charon milepost com>
Date: Mon, 29 Dec 1997 08:12:13 -0600 (CST)
Alex P. Rudnev writes...


What are you talking about? If they have NETFLOW switching and NETFLOW 
accounting, it's easy to search for the router originated for the 
SMURF/initialised packets (this packets can be searched by the such list, 
or by the simular search pattern):

 xxx permit ip any 0.0.0.255 255.255.255.0 log

And then it takes 5 minutes to look for the originating interface.


Yeah.  And that leads to another router, then another, then another.
How about automating the process.  That's what it looks like DoStracker
does.

As was pointed out to me, if I have just one or two routers or one or
two links into the Internet, then I can easily find where the attack is
coming from.  But if I have a large complex network ...

-- 
Phil Howard | crash547 () no41ads6 com no63ads9 () spammer7 edu stop1ads () no9place edu
  phil      | end3ads6 () no79ads0 com no6spam8 () dumbads1 org stop6it2 () dumbads7 edu
    at      | no43ads7 () noplace1 net no44ads3 () no40ads8 net suck8it0 () s0p5a7m7 com
  milepost  | stop7ads () dumbads7 edu w0x2y8z4 () dumb5ads edu no7way22 () anywhere net
    dot     | no6spam4 () no6where com eat2this () lame2ads edu ads8suck () dumb2ads net
  com       | no2spam2 () s2p0a9m8 com suck0it2 () no14ads4 net blow9me7 () noplace5 com
Previous By Date Next
Previous By Thread Next

Current thread: