SMURF AMPLIFIER BLOCK LIST -- VERY LARGE!!!!!!!!!!!!!!!

• Previous message (by thread): SMURF AMPLIFIER BLOCK LIST -- VERY LARGE!!!!!!!!!!!!!!!
• Next message (by thread): FOLLOW ON TO BLOCK LIST
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Erik,

The script I wrote isn't really that smart... It just looks for two IP's
within the same /24 that were sending some kind of ICMP packet to the
victim machine.  Since NetFlow logs don't break ICMP down to the type
and codes, I had to unilaterally make that decision.  If your network is
clean, I sincerely apologize for any embarrassment or hassle this may
have caused, and I will remove it from the list.

Regards,
Christian

>-----Original Message-----
>From:	Erik Muller [SMTP:nc0773 at corp.netcom.com]
>Sent:	Thursday, April 30, 1998 12:14 PM
>To:	Martin, Christian
>Subject:	Re: SMURF AMPLIFIER BLOCK LIST -- VERY LARGE!!!!!!!!!!!!!!!
>
>
>> 163.179.230.0
>
>This one's mine... the entire /24 is broken down as /30s, and .255 will 
>respond with nothing more sinister than an ICMP unreachable.  Any details
>on what results you saw that pointed to this network as an offender would 
>be appreciated (since I can't see any danger from it).
>
>----------------------------------------------------------------------------
>Erik Muller, Network Engineer                         emuller at noc.netcom.net
>NETCOM Network Services Support        NETCOM On-Line Communication Services
>
>
>On Wed, 29 Apr 1998, Martin, Christian wrote:
>
>> All,
>> 
>> Here is my contribution to the block list.  The script that generated
>> this will follow.  It is 'public domain', in that it can be modified,
>> BUT, please give credit where credit is due!
>> 

• Previous message (by thread): SMURF AMPLIFIER BLOCK LIST -- VERY LARGE!!!!!!!!!!!!!!!
• Next message (by thread): FOLLOW ON TO BLOCK LIST
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]