Re: SMURF amplifier block list

[Brandon Ross <bross () mindspring net>]

On Sun, 19 Apr 1998, Jeremiah Kristal wrote:

> On Sat, 18 Apr 1998, Alex P. Rudnev wrote:  >
>
> I know that this week there was a smurf attack that was tracked to the
> source.  I'm not sure what will happen to him.  Hopefully someone from the
> NOC that caught him will let us know.

That was us, and we do plan on prosecuting.  We're in the process of
collecting information now.

Something that happened during this attack should be a great concern to
all of us.  In addition to the usual broadcast addresses being used as
amplifiers for this smurf attack, the attacker also used network
addresses.  It seems that many stacks and routers will respond to a
packet with a network address in the same way as a broadcast address.

Luckily Cisco's "no ip directed-broadcast" already took that into account
and blocks those packets, however, if you don't have a Cisco and are
having to configure manual filters to avoid being an amplifier site, you
_must_ filter out network addresses as well as broadcast addresses.

Please, spread the word.

P.S. I'd like to publicly thank Icon, Digex, and BBN as well as the EPA
(yes folks, the Environmental Protection Agency, they were being used as
an amplifier in this attack) for their help in tracing this attack to the
source.

Brandon Ross            Network Engineering     404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc.  info () mindspring com
Mosher's Law of Software Engineering:  Don't worry if it doesn't work
right.  If everything did, you'd be out of a job.