SMURF amplifier block list
Brandon Ross
bross at mindspring.net
Mon Apr 20 19:02:20 UTC 1998
On Sun, 19 Apr 1998, Jeremiah Kristal wrote:
> On Sat, 18 Apr 1998, Alex P. Rudnev wrote: >
>
> I know that this week there was a smurf attack that was tracked to the
> source. I'm not sure what will happen to him. Hopefully someone from the
> NOC that caught him will let us know.
That was us, and we do plan on prosecuting. We're in the process of
collecting information now.
Something that happened during this attack should be a great concern to
all of us. In addition to the usual broadcast addresses being used as
amplifiers for this smurf attack, the attacker also used network
addresses. It seems that many stacks and routers will respond to a
packet with a network address in the same way as a broadcast address.
Luckily Cisco's "no ip directed-broadcast" already took that into account
and blocks those packets, however, if you don't have a Cisco and are
having to configure manual filters to avoid being an amplifier site, you
_must_ filter out network addresses as well as broadcast addresses.
Please, spread the word.
P.S. I'd like to publicly thank Icon, Digex, and BBN as well as the EPA
(yes folks, the Environmental Protection Agency, they were being used as
an amplifier in this attack) for their help in tracing this attack to the
source.
Brandon Ross Network Engineering 404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc. info at mindspring.com
Mosher's Law of Software Engineering: Don't worry if it doesn't work
right. If everything did, you'd be out of a job.
More information about the NANOG
mailing list