smurf, the MCI-developed tracing tools (was Re: Bogus announcement)
phil at charon.milepost.com
Mon Dec 29 14:12:13 UTC 1997
Alex P. Rudnev writes...
> What are you talking about? If they have NETFLOW switching and NETFLOW
> accounting, it's easy to search for the router originated for the
> SMURF/initialised packets (this packets can be searched by the such list,
> or by the simular search pattern):
> xxx permit ip any 0.0.0.255 255.255.255.0 log
> And then it takes 5 minutes to look for the originating interface.
Yeah. And that leads to another router, then another, then another.
How about automating the process. That's what it looks like DoStracker
As was pointed out to me, if I have just one or two routers or one or
two links into the Internet, then I can easily find where the attack is
coming from. But if I have a large complex network ...
Phil Howard | crash547 at no41ads6.com no63ads9 at spammer7.edu stop1ads at no9place.edu
phil | end3ads6 at no79ads0.com no6spam8 at dumbads1.org stop6it2 at dumbads7.edu
at | no43ads7 at noplace1.net no44ads3 at no40ads8.net suck8it0 at s0p5a7m7.com
milepost | stop7ads at dumbads7.edu w0x2y8z4 at dumb5ads.edu no7way22 at anywhere.net
dot | no6spam4 at no6where.com eat2this at lame2ads.edu ads8suck at dumb2ads.net
com | no2spam2 at s2p0a9m8.com suck0it2 at no14ads4.net blow9me7 at noplace5.com
More information about the NANOG