nanog mailing list archives
Re: smurf amp nets
From: Jon Lewis <jlewis () inorganic5 fdt net>
Date: Sat, 13 Jun 1998 02:01:21 -0400 (EDT)
On Fri, 12 Jun 1998, Michael Dillon wrote:
On Sat, 13 Jun 1998, Jon Lewis wrote:I just recorded 4.5mb of a smurf attack directed at one of my servers. Here's a list of the networks used as amplifiers and the number of different hosts responding from each network.This is not true! According to your list the following networks are *NOT* smurf amplifiers. Please check your data before blacklisting innocent people!!!
When did I blacklist anyone? Jim Flemming _is_ in my .procmailrc...so are you taking over for him? All I said was "here's a list of the networks used as amplifiers and the number of different hosts responding..." Obviously, any network responding with 1 ip is not terribly effective as an amplifier, but that doesn't alter the fact that the attacker attempted to use them as smurf amps. I should probably have trimmed all nets responding with fewer than 2 IPs since even a cisco with "no ip directed-broadcast" will generally respond with a source ip of the interface on which the echo request arrived. OTOH, these nets might want to consider additional filtering since they probably get abused in this way with some frequency. Every version of smurf.c I've seen has all the amplifier network addresses hardcoded. BTW...I have a theory for a way to get all or most of the big smurf amp networks fixed real fast...but doing it would probably get me in big trouble. Also...all the people cc'd on that message had nets with numbers of hosts responding in the dozens or more. ------------------------------------------------------------------ Jon Lewis <jlewis () fdt net> | Spammers will be winnuked or Network Administrator | drawn and quartered...whichever Florida Digital Turnpike | is more convenient. ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
Current thread:
- smurf amp nets Jon Lewis (Jun 12)
- Re: smurf amp nets Michael Dillon (Jun 12)
- Re: smurf amp nets Jon Lewis (Jun 12)
- Re: smurf amp nets Michael Dillon (Jun 13)
- Re: smurf amp nets Jared Mauch (Jun 13)
- Re: smurf amp nets Mikael Abrahamsson (Jun 13)
- Re: smurf amp nets Karl Denninger (Jun 13)
- Re: smurf amp nets ken emery (Jun 13)
- Re: smurf amp nets Craig A. Huegen (Jun 13)
- Re: smurf amp nets Jon Lewis (Jun 12)
- Re: smurf amp nets Craig A. Huegen (Jun 13)
- Re: smurf amp nets Michael Shields (Jun 13)
- Re: smurf amp nets Michael Dillon (Jun 12)
- Re: smurf amp nets Oystein Homelien (Jun 14)
- Re: smurf amp nets Eric McClelland (Jun 13)