identify hostname
Jonathan Mischo
supertaz at mindspring.net
Fri Dec 4 00:28:09 UTC 1998
To add to this, it's very simple to identify smurf amplifiers. All you
need to do is sequentially ping possible broadcast addresses within a
netblock. If you wrote a threaded application, you could probably have a
complete list in a day or two on a modem connection. If you think of how
many of these fools have a colo box on someone's network, you'd realize
that it would be fairly easy to compile such a list once a month, without
anyone noticing the traffic (assume 16 hosts/sec, 3 pings per second @
56 bytes, plus 8 bytes or ICMP header = 3072 bytes/sec)...there are very
few providers who are set up to track ICMP traffic density, and 3k of
traffic per second is not going to create a noticable bump on a 45-155 meg
interface. The occasional amplifier that is hit will only create
increased traffic for the 3 pings recieved, which would easily be logged,
but would be too short to even produce a spike on most traffic graphs, or
trigger a traffic alarm.
just my $.02.
-Taz
--
Jonathan "Taz" Mischo -- Network Slave -- supertaz at mindspring.net
Mindspring Enterprises, Inc. 1430 W. Peachtree St. Suite 400
Atlanta, GA 30309 1.800.719.4664 x2705 404.287.0770 x2705
fax: 404.287.0885 pager: pagetaz at netops.mindspring.net M-F2-10pET
On Thu, 3 Dec 1998, Brandon Ross wrote:
> On Wed, 2 Dec 1998, Phil Howard wrote:
>
> > AFAIK, today, smurfers are only using *.*.*.255. They would have to
> > track a lot more information to use others, so for now I can generally
> > expect that deny to prevent us from being an amplifier.
>
> I'm afraid that in my experience, that's not true at all. I've seen smurf
> attacks bounced off of networks as small as /30's and all the way up to
> one network that was a /22, as well as everything inbetween, and I'm not
> just talking about the last /30 in a /24 either.
>
> Brandon Ross Network Engineering 404-815-0770 800-719-4664
> Director, Network Engineering, MindSpring Ent., Inc. info at mindspring.com
> ICQ: 2269442
>
> Stop Smurf attacks! Configure your router interfaces to block directed
> broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.
>
More information about the NANOG
mailing list