Solution: Re: Huge smurf attack

Phil Howard phil at
Fri Jan 15 00:28:29 UTC 1999

Brandon Ross wrote:

> We report these incidents to the FBI when there is at least a slim chance
> that the perpetrator might be caught.  We get a lot of very short lived
> attacks (30 minutes or less) that just don't seem to be worth our time to
> report to the FBI, since there's usually no data that would give them a
> bit of a clue about who might have done it.

My recommendation is to take all the incidents that you are currently
classifying as unlikely to be resolved, and prepare a report on each
one with as much data as you can gather about them, and supply that
report to the FBI anyway.  This will help them understand just what is
going on, and may even help them acquire additional budgets and funding
to expand their resources to be more effective at investigating more
of these incidents.  This will allow them to keep better statistics
on just what problems are being seen in the Internet, whether they be
kids with scripts or terrorists.  The line between these groups will
be getting fuzzier, so we cannot disregard it at all.

It might also be interesting if we can as a group collect and merge the
data on these incidents.  I know there are some agencies that already do
this, and if someone has some detail on that, maybe that will be a good
start.  I know that I would be interested in comparing not only the list
of addresses that smurf incidents are coming from, but also comparing
the load balance of these addresses (e.g. do addresses that show up twice
as much in one incident also do so in another?).  If we can identify the
addresses that regularly show up, perhaps that may motivate the FBI to
insist on a "wiretap" at the location of the smurf amplifiers frequently
seen.  Then from there they may be able to begin backtracking attacks
and find the real source(s).

 --    *-----------------------------*      Phil Howard KA9WGN       *    --
  --   | Inturnet, Inc.              | Director of Internet Services |   --
   --  | Business Internet Solutions |       eng at        |  --
    -- *-----------------------------*      phil at        * --

More information about the NANOG mailing list