smurf, the MCI-developed tracing tools (was Re: Bogus announcement)

Phil Howard phil at
Mon Dec 29 14:12:13 UTC 1997

Alex P. Rudnev writes...

> What are you talking about? If they have NETFLOW switching and NETFLOW 
> accounting, it's easy to search for the router originated for the 
> SMURF/initialised packets (this packets can be searched by the such list, 
> or by the simular search pattern):
>  xxx permit ip any log
> And then it takes 5 minutes to look for the originating interface.

Yeah.  And that leads to another router, then another, then another.
How about automating the process.  That's what it looks like DoStracker

As was pointed out to me, if I have just one or two routers or one or
two links into the Internet, then I can easily find where the attack is
coming from.  But if I have a large complex network ...

Phil Howard | crash547 at no63ads9 at stop1ads at
  phil      | end3ads6 at no6spam8 at stop6it2 at
    at      | no43ads7 at no44ads3 at suck8it0 at
  milepost  | stop7ads at w0x2y8z4 at no7way22 at
    dot     | no6spam4 at eat2this at ads8suck at
  com       | no2spam2 at suck0it2 at blow9me7 at

More information about the NANOG mailing list