nanog mailing list archives

Re: identify hostname

From: Jonathan Mischo <supertaz () mindspring net>
Date: Thu, 3 Dec 1998 19:28:09 -0500 (EST)


To add to this, it's very simple to identify smurf amplifiers.  All you
need to do is sequentially ping possible broadcast addresses within a
netblock.  If you wrote a threaded application, you could probably have a
complete list in a day or two on a modem connection.  If you think of how
many of these fools have a colo box on someone's network, you'd realize
that it would be fairly easy to compile such a list once a month, without
anyone noticing the traffic (assume 16 hosts/sec, 3 pings per second @
56 bytes, plus 8 bytes or ICMP header = 3072 bytes/sec)...there are very
few providers who are set up to track ICMP traffic density, and 3k of
traffic per second is not going to create a noticable bump on a 45-155 meg
interface.  The occasional amplifier that is hit will only create
increased traffic for the 3 pings recieved, which would easily be logged,
but would be too short to even produce a spike on most traffic graphs, or
trigger a traffic alarm.

just my $.02.

-Taz

--
Jonathan "Taz" Mischo -- Network Slave -- supertaz () mindspring net
Mindspring Enterprises, Inc.  1430 W. Peachtree St. Suite 400
Atlanta, GA  30309   1.800.719.4664 x2705  404.287.0770 x2705
fax: 404.287.0885 pager: pagetaz () netops mindspring net M-F2-10pET

On Thu, 3 Dec 1998, Brandon Ross wrote:

On Wed, 2 Dec 1998, Phil Howard wrote:

AFAIK, today, smurfers are only using *.*.*.255.  They would have to
track a lot more information to use others, so for now I can generally
expect that deny to prevent us from being an amplifier.


I'm afraid that in my experience, that's not true at all.  I've seen smurf
attacks bounced off of networks as small as /30's and all the way up to
one network that was a /22, as well as everything inbetween, and I'm not
just talking about the last /30 in a /24 either.

Brandon Ross            Network Engineering     404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc.  info () mindspring com
                                                            ICQ:  2269442

Stop Smurf attacks!  Configure your router interfaces to block directed
broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.

Current thread:

Re: identify hostname, (continued)
- - - Re: identify hostname Roeland M.J. Meyer (Dec 03)
    - Re: identify hostname Jonathan Mischo (Dec 03)
    - Message not available
    - Re: identify hostname Roeland M.J. Meyer (Dec 03)
    - Re: identify hostname Jonathan Mischo (Dec 03)
    - Re: identify hostname Craig A. Huegen (Dec 02)
    - Re: identify hostname Brandon Ross (Dec 02)
    - Re: identify hostname Phillip Vandry (Dec 02)
    - Re: identify hostname Craig A. Huegen (Dec 02)
- Re: identify hostname Dean Anderson (Dec 01)
  - Re: identify hostname Steven J. Sobol (Dec 01)
- Re: identify hostname Jonathan Mischo (Dec 03)