What do we do with clueless ISPs (fwd)
John Bradshaw
bradshaw at uu.net
Mon Mar 23 17:28:17 UTC 1998
I would be interested in knowing who was spoken to at UUNET because I
have two on-call engineers who are very clueful on the smurf attack and
how to block it. There are issues being discussed at this time with the
dostrack program and current revs of Cisco code beign distributed so
tracking would not have been feasible (esp. since the site as the target
and not the amplification site). Only if an amplification site was ID'd
as a UUNET customer could a track to the perpetrator hav been performed.
UUNET Security Engineers will alleviate the attack until it subsides or
identification (and subsequent halting of the attack) occurs.
The staff is not manned 24 hours (just like MCI) but my people are paged
when these type of events occur (just like MCI).
Hopefully, someone can provide me with the ticket # of the incident of
the engineer who handled it.
John
> Joe Shaw said:
> > From mail-maint at UU.NET Sun Mar 22 14:10:32 1998
> > Date: Sun, 22 Mar 1998 12:47:52 -0600 (CST)
> > From: Joe Shaw <jshaw at insync.net>
> > To: Randy Bush <rbush at bainbridge.verio.net>
> > cc: Hank Nussbacher <hank at ibm.net.il>, nanog at merit.edu
> > Subject: Re: What do we do with clueless ISPs
> > In-Reply-To: <13588.7105.10059.574316 at rip.psg.com>
> > Message-ID: <Pine.SOL.3.96.980322122920.21775A-100000 at vellocet.insync.net>
> > MIME-Version: 1.0
> > Content-Type: TEXT/PLAIN; charset=US-ASCII
> > Sender: owner-nanog at merit.edu
> >
> >
> > Last weekend we had one host on our network as the target of a smurf
> > attack. When I reported it to both our upstreams (UUNet and Time Warner
> > who reported it to MCI), we got two stories. MCI, whom I'm not even a
> > direct customer of started tracking the attack as soon as they were
> > informed. UUNet took an hour to get a security person on the phone who
> > then told me that there was nothing they could do, period.
> >
> > My question is this: When will UUNet have security types on duty 7 days a
> > week, and will said people be clueful enough to track this sort of thing
> > down? I told the people at UUNet that we were under smurf attack, and
> > then I had to go through a 10 minute explanation of what a smurf attack
> > was and what it was doing. I would expect a worldwide NSP to keep up with
> > things like this, especially when a regional like myself can.
> >
> > I had logged all ICMP traffic coming into our network via an access list,
> > and could give them all the information they needed to get to the
> > offending networks, so it's not like they had such a hard job ahead of
> > them.
> >
> > Joe Shaw - jshaw at insync.net
> > NetAdmin - Insync Internet Services
> >
> > On Sat, 21 Mar 1998, Randy Bush wrote:
> >
> > > > How does one send "samples" of a Smurf
> > >
> > > When BBN's NOC handed one to our NOC yesterday, or was it the day before,
> > > they sent a cut and paste of
> > > o configuring their edge cisco to detect and log
> > > o the log
> > > which both documented the problem and, if our NOC did not have smurf clue,
> > > gave a clue on how to track.
> > >
> > > [ aside: it was tracked to the perp and stomped ]
> > >
> > > randy
> >
> >
> >
--
=====================================================================================
John Bradshaw, Manager, Security & Fraud Support (800)900-0241 (F)
(703)645-4424
UUNET Technologies, Inc., 3060 Williams Dr. Fairfax, VA 22031;
http://www.uu.net
security at uu.net - Security Incidents; fraud at uu.net - Massmail,
spam-complaint at uu.net
=====================================================================================
More information about the NANOG
mailing list