identify hostname

Jonathan Mischo supertaz at
Fri Dec 4 00:28:09 UTC 1998

To add to this, it's very simple to identify smurf amplifiers.  All you
need to do is sequentially ping possible broadcast addresses within a
netblock.  If you wrote a threaded application, you could probably have a
complete list in a day or two on a modem connection.  If you think of how
many of these fools have a colo box on someone's network, you'd realize
that it would be fairly easy to compile such a list once a month, without
anyone noticing the traffic (assume 16 hosts/sec, 3 pings per second @
56 bytes, plus 8 bytes or ICMP header = 3072 bytes/sec)...there are very
few providers who are set up to track ICMP traffic density, and 3k of
traffic per second is not going to create a noticable bump on a 45-155 meg
interface.  The occasional amplifier that is hit will only create
increased traffic for the 3 pings recieved, which would easily be logged,
but would be too short to even produce a spike on most traffic graphs, or
trigger a traffic alarm.

just my $.02.


Jonathan "Taz" Mischo -- Network Slave -- supertaz at
Mindspring Enterprises, Inc.  1430 W. Peachtree St. Suite 400
Atlanta, GA  30309   1.800.719.4664 x2705  404.287.0770 x2705
fax: 404.287.0885 pager: pagetaz at M-F2-10pET

On Thu, 3 Dec 1998, Brandon Ross wrote:

> On Wed, 2 Dec 1998, Phil Howard wrote:
> > AFAIK, today, smurfers are only using *.*.*.255.  They would have to
> > track a lot more information to use others, so for now I can generally
> > expect that deny to prevent us from being an amplifier. 
> I'm afraid that in my experience, that's not true at all.  I've seen smurf
> attacks bounced off of networks as small as /30's and all the way up to
> one network that was a /22, as well as everything inbetween, and I'm not
> just talking about the last /30 in a /24 either.
> Brandon Ross            Network Engineering     404-815-0770 800-719-4664
> Director, Network Engineering, MindSpring Ent., Inc.  info at
>                                                             ICQ:  2269442
> Stop Smurf attacks!  Configure your router interfaces to block directed
> broadcasts. See for details.

More information about the NANOG mailing list