SMURF amplifier block list
Alex P. Rudnev
alex at Relcom.EU.net
Mon Apr 20 11:29:07 UTC 1998
> >measurement.
>
> Oops. I misunderstood this first time round. I don't think you can easily
> detect smurf initiations, because you have to guess at the broadcast
> address.
It's not difficult to detect SMURF initiators belongs to your own
customers. For us, it's easy because we have IP accounting at the core
routers and have some anti-smurf monitoring;
If you saw ICMP-request packets with the DST address looks as broadcast,
it's the bell for your noc _let's check where are this packets
originated_ - and this trace you to the SMURFer at 90% of the cases.
And this 0.0.0.255 255.255.255.0 address/wildcard_bits assumption makes a
great approximation for the broadcast addresses.
>
> I think it is much easier to detect and block forged source addresses,
> which are also necessary for the hacker who is operating out of your
> network.
>
> --Dean
>
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Plain Aviation, Inc dean at av8.com
> LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com
> We Make IT Fly! (617)242-3091 x246
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
>
Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
More information about the NANOG
mailing list