SMURF amplifier block list
jlixfeld at idirect.ca
jlixfeld at idirect.ca
Sun Apr 12 21:01:34 UTC 1998
Or, call Cisco.. press 1 and tell them you are being smurfed. They will
work with specialists and authorities to track down the attacker and rest
assured, they will be dealth with. One thing I like about Cisco, is they
don't fsck around!! They get right down to business.
On Sun, 12 Apr 1998, Alex P. Rudnev wrote:
:Sorry, you don't understand.
:
:The worst thing in the smurf attack is not the attack itself (small IP
:flood, what's it? now the hackers have not really big amlifiers at their
:lists), but the fact the attacker originated source is faded usially. The
:best way to found the source of such attack is to trace echo-request
:packets directed to one or more smurf-amplified networks.
:
:If some (even some) network anounce _we keep on-line list of
:smurf-amplified address and control all attempts to send packets to this
:networks_, do you suppose hackers would work through this network? Any
:attempt to send smurf cause them to be discovered and disconnected; even
:if it's only anouncement, not real control, it's enougph to prevent a lot
:of hackets from the such attempts.
:
:The only way to fight against any kind of such attacks is to be sure any
:intruder should be fixed and disconnected in a few minutes. If I proclaim
:(anyone who attempt to break CITYLINE.RU ISP here should be killed by the
:gang of big and gloomy boys) do you think anyone in Moscow attampts to
:break CITYLINE? Even if he don't believe to this anouncement - but 10%
:for this to be true is enougph for hacker to be stopped.
:
:Just this case. While we are not seing every day _XXX was catched and
:disconnected due to attempt to run SMURF_ you can found any new ways to
:defend yourself - no matter, they discover new ways to attack you. If
:they think they can be catched - it's enougph.
:
:Remember, this intruders use small ISP as their service providers, not
:huge MCI or SPRINT.
:
:And you even don't need the full list of such amplified addresses to open
:some kind of monitoring against the smurfers.
:
:Btw, if someone cry here _I am smurfed from XX.XX.XX.XX address, what
:should you do to help him? I guess you should check (by IP accounting if
:you have it; by NetFlow accounting if you have it; or close you boredom
:and go home if you have not any) _are you sure the echo-request
:packets to this broadcast addresses are not originated from YOUR customer_.
:
:
:
:>
:> > May be, someone will maintain such lists? First, it allow to fix smurf
:> > source by 'log' option in the CISCO list; second, it'll prefere some
:> > attacks.
:>
:> If Karl will supply us the IP address of a non-critical machine in his
:> network then we only need one list maintained. Anyone can then add new
:> networks to Karl's list simply by smurfing his non-critical machine and it
:> will still meet his criteria of a verified atack.
:>
:> --
:> Michael Dillon - Internet & ISP Consulting
:> http://www.memra.com - E-mail: michael at memra.com
:>
:>
:>
:
:Aleksei Roudnev, Network Operations Center, Relcom, Moscow
:(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
:(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
:
--
Regards,
Jason A. Lixfeld jlixfeld at idirect.ca
System Administrator [L5] jlixfeld at torontointernetxchange.net
---------------------------------------------------------------------
TUCOWS Interactive Ltd. o/a | "A Different Kind of Internet Company"
Internet Direct Canada Inc. | "FREE BANDWIDTH for Toronto Area IAPs"
5415 Dundas Street West | http://www.torontointernetxchange.net
Suite 301, Toronto Ontario | (416) 236-5806 (T)
M9B-1B5 CANADA | (416) 236-5804 (F)
---------------------------------------------------------------------
More information about the NANOG
mailing list