Reporting Little Blue Men

Craig A. Huegen chuegen at
Wed Jan 21 05:29:53 UTC 1998

On Tue, 20 Jan 1998, Eric Wieling wrote:

==>Is there any point in trying to report these attacks?  Who would we
==>report them to?  We don't know what the source is, after all the
==>address is spoofed.  It seems kind of pointless to notify the victim
==>-- they already know they have been smurfed.

Most providers are relatively helpful if they're attacks.  They will
generally work to help resolve it, or at least will place filters in place
to help you out.

It's quite unfortunate that I had to find a tier 1 not willing to help
with the smurf situation at all lately.  An ISP that I do consulting
for was being attacked via their connection to this provider.  When their
provider was called, they said they couldn't trace anything unless the FBI
was involved, and that they couldn't put a filter in place.

So, basically this ISP's connection to the provider was disabled.

After the owner of this ISP argued with this provider's NOC for 12 hours,
this provider sent mail back, claiming it wasn't a smurf because they
looked at the traffic on the circuit.

If anyone should recognize a smurf, I think I would.  I told this provider
it *was* a smurf, and that if they weren't predisposed with trying to do
absolutely nothing about it, they would have seen it.

After I told them about my smurf paper, they were quick to tell me
(against their supposed "policy") that they are indeed willing to filter
for a customer, and that they will trace attacks if necessary. 

This is interesting, because I sat on a conference call with
representatives from this provider along with others, the FBI, and CERT on
how we can have better cooperation between providers and track these guys. 
This provider claimed their NOC was willing to deal with this. 

It was a very disappointing e-mail thread.

As a plea to all you providers out there:  the 'smurf' attack hurts the
smaller providers.  It hurts their business.  Please vow to use tools like
DoStracker and anything else you may be able to in order to trace this
down.  Get your NOC operations folks involved--pass out the smurf paper to
educate customers and tell them what you can and can not do.


More information about the NANOG mailing list