SMURF amplifier block list

Alex P. Rudnev alex at
Mon Apr 20 11:29:07 UTC 1998

> >measurement.
> Oops. I misunderstood this first time round.  I don't think you can easily
> detect smurf initiations, because you have to guess at the broadcast
> address.
It's not difficult to detect SMURF initiators belongs to your own 
customers. For us, it's easy because we have IP accounting at the core 
routers and have some anti-smurf monitoring; 

If you saw ICMP-request packets with the DST address looks as broadcast, 
it's the bell for your noc _let's check where are this packets 
originated_  - and this trace you to the SMURFer at 90% of the cases.

And this address/wildcard_bits assumption makes a 
great approximation for the broadcast addresses.

> I think it is much easier to detect and block forged source addresses,
> which are also necessary for the hacker who is operating out of your
> network.
> 		--Dean
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>            Plain Aviation, Inc                  dean at
>            We Make IT Fly!                (617)242-3091 x246
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)

More information about the NANOG mailing list