Re: SMURF amplifier block list

["Alex P. Rudnev" <alex () Relcom EU net>]

Sorry, you don't understand.

The worst thing in the smurf attack is not the attack itself (small IP 
flood, what's it? now the hackers have not really big amlifiers at their 
lists), but the fact the attacker originated source is faded usially. The 
best way to found the source of such attack is to trace echo-request 
packets directed to one or more smurf-amplified networks.

If some (even some) network anounce _we keep on-line list of 
smurf-amplified address and control all attempts to send packets to this 
networks_, do you suppose hackers would work through this network? Any 
attempt to send smurf cause them to be discovered and disconnected; even 
if it's only anouncement, not real control, it's enougph to prevent a lot 
of hackets from the such attempts.

The only way to fight against any kind of such attacks is to be sure any 
intruder should be fixed and disconnected in a few minutes. If I proclaim 
(anyone who attempt to break CITYLINE.RU ISP here should be killed by the 
gang of big and gloomy boys) do you think anyone in Moscow attampts to 
break CITYLINE? Even if he don't believe to this anouncement - but 10% 
for this to be true is enougph for hacker to be stopped.

Just this case. While we are not seing every day _XXX was catched and 
disconnected due to attempt to run SMURF_ you can found any new ways to 
defend yourself - no matter, they discover new ways to attack you. If 
they think they can be catched - it's enougph.

Remember, this intruders use small ISP as their service providers, not 
huge MCI or SPRINT.

And you even don't need the full list of such amplified addresses to open 
some kind of monitoring against the smurfers.

Btw, if someone cry here _I am smurfed from XX.XX.XX.XX address, what 
should you do to help him? I guess you should check (by IP accounting if 
you have it; by NetFlow accounting if you have it; or close you boredom 
and go home if you have not any) _are you sure the echo-request 
packets to this broadcast addresses are not originated from YOUR customer_. 



> > May be, someone will maintain such lists? First, it allow to fix smurf 
> > source by 'log' option in the CISCO list; second, it'll prefere some 
> > attacks.
>
> If Karl will supply us the IP address of a non-critical machine in his
> network then we only need one list maintained. Anyone can then add new
> networks to Karl's list simply by smurfing his non-critical machine and it
> will still meet his criteria of a verified atack.
>
> --
> Michael Dillon                   -               Internet & ISP Consulting
> http://www.memra.com             -               E-mail: michael () memra com

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)