nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SMURF AMPLIFIER BLOCK LIST -- VERY LARGE!!!!!!!!!!!!!!!

From: Dennis Simpson <dennis () bconnex net>
Date: Fri, 1 May 1998 10:46:09 -0400 (EDT)
So that's how we wound up on your list!

Please remove any addresses you have for us. We are quite
diligent about this, and you are most welcome to test us for
smurf sourcing any time. It should definitely not work.

Current addresses:

205.189.200/23
205.210.186/23
206.130.244/23
209.212.32/19

Old addresses we no longer use and will be turning back in
by June:

204.50.247/24
206.107.177/23
206.186.216/23
209.5.14/23
209.50.76/22
209.50.80/22

If you are smurfed by any our downstreams on any address belonging
to one of our blocks, let us know, and we will take steps to prevent
their being a participant in a smurf attack.

Thx,
dennis


From: NOC <NOC () mercury balink com>
To: "'Erik Muller'" <nc0773 () corp netcom com>
Cc: "'nanog () merit edu'" <nanog () merit edu>
Subject: RE: SMURF AMPLIFIER BLOCK LIST -- VERY LARGE!!!!!!!!!!!!!!!
Date: Thu, 30 Apr 1998 15:44:58 -0400
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Erik,

The script I wrote isn't really that smart... It just looks for two IP's
within the same /24 that were sending some kind of ICMP packet to the
victim machine.  Since NetFlow logs don't break ICMP down to the type
and codes, I had to unilaterally make that decision.  If your network is
clean, I sincerely apologize for any embarrassment or hassle this may
have caused, and I will remove it from the list.

Regards,
Christian


-----Original Message-----
From:        Erik Muller [SMTP:nc0773 () corp netcom com]
Sent:        Thursday, April 30, 1998 12:14 PM
To:  Martin, Christian
Subject:     Re: SMURF AMPLIFIER BLOCK LIST -- VERY LARGE!!!!!!!!!!!!!!!



163.179.230.0


This one's mine... the entire /24 is broken down as /30s, and .255 will 
respond with nothing more sinister than an ICMP unreachable.  Any details
on what results you saw that pointed to this network as an offender would 
be appreciated (since I can't see any danger from it).



---------------------------------------------------------------------------

-

Erik Muller, Network Engineer                         

emuller () noc netcom net

NETCOM Network Services Support        NETCOM On-Line Communication 

Services



On Wed, 29 Apr 1998, Martin, Christian wrote:


All,

Here is my contribution to the block list.  The script that generated
this will follow.  It is 'public domain', in that it can be modified,
BUT, please give credit where credit is due!
Previous By Date Next
Previous By Thread Next

Current thread: