nanog mailing list archives
Re: SMURF amplifier block list
From: "Alex P. Rudnev" <alex () Relcom EU net>
Date: Mon, 20 Apr 1998 15:29:07 +0400 (MSD)
measurement.Oops. I misunderstood this first time round. I don't think you can easily detect smurf initiations, because you have to guess at the broadcast address.
It's not difficult to detect SMURF initiators belongs to your own customers. For us, it's easy because we have IP accounting at the core routers and have some anti-smurf monitoring; If you saw ICMP-request packets with the DST address looks as broadcast, it's the bell for your noc _let's check where are this packets originated_ - and this trace you to the SMURFer at 90% of the cases. And this 0.0.0.255 255.255.255.0 address/wildcard_bits assumption makes a great approximation for the broadcast addresses.
I think it is much easier to detect and block forged source addresses, which are also necessary for the hacker who is operating out of your network. --Dean ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean () av8 com LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com We Make IT Fly! (617)242-3091 x246 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
Current thread:
- Re: Filtering ICMP (Was Re: SMURF amplifier block list), (continued)
- Message not available
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Eric Germann (Apr 21)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Jason Lixfeld (Apr 24)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Pete Ashdown (Apr 24)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Richard Irving (Apr 24)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Brandon Ross (Apr 26)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Michael Dillon (Apr 24)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Mark Whitis (Apr 26)
- Re: SMURF amplifier block list Dean Anderson (Apr 18)
- Re: SMURF amplifier block list Phil Howard (Apr 18)
- Message not available
- Re: SMURF amplifier block list Jay R. Ashworth (Apr 19)
- Re: SMURF amplifier block list Alex P. Rudnev (Apr 20)
- Re: SMURF amplifier block list jlixfeld (Apr 20)
- Re: SMURF amplifier block list Dean Anderson (Apr 19)
- Re: SMURF amplifier block list Jason Lixfeld (Apr 24)
- Re: SMURF amplifier block list Dean Anderson (Apr 24)
- Re: SMURF amplifier block list Stephen Sprunk (Apr 17)
- SMURF and spoofing: Important new information! Michael Dillon (Apr 17)
- Re: SMURF amplifier block list James R. Cutler (Apr 14)
- Message not available
- Re: SMURF amplifier block list Jay R. Ashworth (Apr 14)
- Message not available
- Re: SMURF amplifier block list Jay R. Ashworth (Apr 14)
- Re: SMURF amplifier block list Brett Frankenberger (Apr 14)