SMURF amplifier block list
Alex P. Rudnev
alex at Relcom.EU.net
Sun Apr 12 17:41:28 UTC 1998
Sorry, you don't understand.
The worst thing in the smurf attack is not the attack itself (small IP
flood, what's it? now the hackers have not really big amlifiers at their
lists), but the fact the attacker originated source is faded usially. The
best way to found the source of such attack is to trace echo-request
packets directed to one or more smurf-amplified networks.
If some (even some) network anounce _we keep on-line list of
smurf-amplified address and control all attempts to send packets to this
networks_, do you suppose hackers would work through this network? Any
attempt to send smurf cause them to be discovered and disconnected; even
if it's only anouncement, not real control, it's enougph to prevent a lot
of hackets from the such attempts.
The only way to fight against any kind of such attacks is to be sure any
intruder should be fixed and disconnected in a few minutes. If I proclaim
(anyone who attempt to break CITYLINE.RU ISP here should be killed by the
gang of big and gloomy boys) do you think anyone in Moscow attampts to
break CITYLINE? Even if he don't believe to this anouncement - but 10%
for this to be true is enougph for hacker to be stopped.
Just this case. While we are not seing every day _XXX was catched and
disconnected due to attempt to run SMURF_ you can found any new ways to
defend yourself - no matter, they discover new ways to attack you. If
they think they can be catched - it's enougph.
Remember, this intruders use small ISP as their service providers, not
huge MCI or SPRINT.
And you even don't need the full list of such amplified addresses to open
some kind of monitoring against the smurfers.
Btw, if someone cry here _I am smurfed from XX.XX.XX.XX address, what
should you do to help him? I guess you should check (by IP accounting if
you have it; by NetFlow accounting if you have it; or close you boredom
and go home if you have not any) _are you sure the echo-request
packets to this broadcast addresses are not originated from YOUR customer_.
> > May be, someone will maintain such lists? First, it allow to fix smurf
> > source by 'log' option in the CISCO list; second, it'll prefere some
> > attacks.
> If Karl will supply us the IP address of a non-critical machine in his
> network then we only need one list maintained. Anyone can then add new
> networks to Karl's list simply by smurfing his non-critical machine and it
> will still meet his criteria of a verified atack.
> Michael Dillon - Internet & ISP Consulting
> http://www.memra.com - E-mail: michael at memra.com
Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
More information about the NANOG