SMURF amplifier block list

Karl Denninger karl at mcs.net
Sun Apr 12 05:36:30 UTC 1998


On Sun, Apr 12, 1998 at 01:20:02AM -0400, Jon Lewis wrote:
> On Sun, 12 Apr 1998, Karl Denninger wrote:
> 
> > And you think they don't already HAVE the list?
> > 
> > Where do you think WE got it from?  From people smurfing us!  
> > 
> > The vandals ALREADY HAVE the list.  I know this because we were attacked
> 
> But posting the list of blackholed sites publicly gives the attackers a
> list of sites not to bother trying to use...so they keep coming out with
> new&improved versions of smurf using networks that actually work.

The goal is to make the number of possible sources ZERO.

If ISPs around the world refuse to forward directed broadcasts, it WILL 
be zero.  If a provider loses connectivity to significant parts of the
network, they'll fix their fscking routers.

I'll note that one of the worst offenders right now, and the biggest
sources, is APNIC's netblocks.  There are huge, multi-T3-connected, smurf
amplifiers on some of those network numbers.  You'll find that in 203.64
there are multiple high-bandwidth sources with ENABLED directed broadcasts.

Guess what?  That entire /16 can't talk to us any more.  I've tried talking
to APNIC with no response.  I've emailed every contact I can think of - 
nothing.

Now I've told them to fsck off.  They can either fix the damn thing or
they can stuff connectivity to us up their behinds.

I did this to huge parts of UUNET's infrastructure a few months ago.  It
*DID* get their attention, and smartly.  At one time, not long back, their 
entire New York POP was one huge smurf amplifier of the worst kind - multiple
MAX TNTs on 100BaseTX, all with directed broadcasts possible into their NICs.
Ouch.  We saw *sustained* loads in excess of 100Mbps coming from there. 
I blocked a /16, and two days later their CUSTOMERS started calling us 
asking why they couldn't talk to us any more.  

We told them why.

Less than a week later it magically "fixed itself", although UUNET denied 
that they changed anything or that it was ever broken.  Yeah, right.  

At least the problem got solved.

Bluntly, I've had enough and so have my customers.  Our IRC server is the
recipient of daily attacks.  Our *customers* DS1s are getting hit as well.
While I can fix the IRC server problem by putting it on a Switched 100BaseTX
port, that's not really a fix -- that's just making the firehose big enough
that the jerks can't fill it.

No more Mr. Nice Guy.  I don't like getting paged at 3:00 AM because some
two-bit punk got Klined off our IRC server for running clonebots and 
decided to smurf us in retaliation.

My fix is to render all connectivity to and from the offending netblocks
VOID until the owners fix their routers.  These folks, by the way, are NOT
clueless - they are DELIBERATELY ignoring the problem.

The folks who can source significant smurfs today are NOT Joe's T1 and Grill.
They are NATIONAL and INTERNATIONAL ISPs who damn well ought to know how to 
prevent this and why they should.  The guy with a T1 can't hit us hard
enough to even show up on our monitors.  To make my blacklist you have to
hit me with enough bandwidth that we *see* the problem, and that means
you're at least mid-fractional-DS3 connected.

If they're permitting this kind of behavior to take place *IT IS THEIR FAULT*,
and has to be due to either deliberate lack of action or gross negligence.

I'll KEEP adding netblocks to that access group as required, and keep
posting the list.  And I won't remove a single network from there until 
I've VERIFIED that they can no longer be used for this kind of vandalism.

--
-- 
Karl Denninger (karl at MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/          | T1's from $600 monthly / All Lines K56Flex/DOV
			     | NEW! Corporate ISDN Prices dropped by up to 50%!
Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS
Fax:   [+1 312 803-4929]     | *SPAMBLOCK* Technology now included at no cost



More information about the NANOG mailing list