Re: SMURF amplifier block list

["Alex P. Rudnev" <alex () Relcom EU net>]

> > measurement.
>
> Oops. I misunderstood this first time round.  I don't think you can easily
> detect smurf initiations, because you have to guess at the broadcast
> address.
It's not difficult to detect SMURF initiators belongs to your own 
customers. For us, it's easy because we have IP accounting at the core 
routers and have some anti-smurf monitoring; 

If you saw ICMP-request packets with the DST address looks as broadcast, 
it's the bell for your noc _let's check where are this packets 
originated_  - and this trace you to the SMURFer at 90% of the cases.

And this 0.0.0.255 255.255.255.0 address/wildcard_bits assumption makes a 
great approximation for the broadcast addresses.



> I think it is much easier to detect and block forged source addresses,
> which are also necessary for the hacker who is operating out of your
> network.
>
>               --Dean
>
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>            Plain Aviation, Inc                  dean () av8 com
>            LAN/WAN/UNIX/NT/TCPIP/DCE      http://www.av8.com
>            We Make IT Fly!                (617)242-3091 x246
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)