North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SMURF amplifier block list

  • From: jlixfeld
  • Date: Mon Apr 13 11:28:16 1998

Or, call Cisco.. press 1 and tell them you are being smurfed.  They will
work with specialists and authorities to track down the attacker and rest
assured, they will be dealth with.  One thing I like about Cisco, is they
don't fsck around!!  They get right down to business.

On Sun, 12 Apr 1998, Alex P. Rudnev wrote:

:Sorry, you don't understand.
:
:The worst thing in the smurf attack is not the attack itself (small IP 
:flood, what's it? now the hackers have not really big amlifiers at their 
:lists), but the fact the attacker originated source is faded usially. The 
:best way to found the source of such attack is to trace echo-request 
:packets directed to one or more smurf-amplified networks.
:
:If some (even some) network anounce _we keep on-line list of 
:smurf-amplified address and control all attempts to send packets to this 
:networks_, do you suppose hackers would work through this network? Any 
:attempt to send smurf cause them to be discovered and disconnected; even 
:if it's only anouncement, not real control, it's enougph to prevent a lot 
:of hackets from the such attempts.
:
:The only way to fight against any kind of such attacks is to be sure any 
:intruder should be fixed and disconnected in a few minutes. If I proclaim 
:(anyone who attempt to break CITYLINE.RU ISP here should be killed by the 
:gang of big and gloomy boys) do you think anyone in Moscow attampts to 
:break CITYLINE? Even if he don't believe to this anouncement - but 10% 
:for this to be true is enougph for hacker to be stopped.
:
:Just this case. While we are not seing every day _XXX was catched and 
:disconnected due to attempt to run SMURF_ you can found any new ways to 
:defend yourself - no matter, they discover new ways to attack you. If 
:they think they can be catched - it's enougph.
:
:Remember, this intruders use small ISP as their service providers, not 
:huge MCI or SPRINT.
:
:And you even don't need the full list of such amplified addresses to open 
:some kind of monitoring against the smurfers.
:
:Btw, if someone cry here _I am smurfed from XX.XX.XX.XX address, what 
:should you do to help him? I guess you should check (by IP accounting if 
:you have it; by NetFlow accounting if you have it; or close you boredom 
:and go home if you have not any) _are you sure the echo-request 
:packets to this broadcast addresses are not originated from YOUR customer_. 
:
:
:
:> 
:> > May be, someone will maintain such lists? First, it allow to fix smurf 
:> > source by 'log' option in the CISCO list; second, it'll prefere some 
:> > attacks.
:> 
:> If Karl will supply us the IP address of a non-critical machine in his
:> network then we only need one list maintained. Anyone can then add new
:> networks to Karl's list simply by smurfing his non-critical machine and it
:> will still meet his criteria of a verified atack.
:> 
:> --
:> Michael Dillon                   -               Internet & ISP Consulting
:> http://www.memra.com             -               E-mail: [email protected]
:> 
:> 
:> 
:
:Aleksei Roudnev, Network Operations Center, Relcom, Moscow
:(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
:(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
:

--
Regards,  

Jason A. Lixfeld             [email protected]
System Administrator [L5]    [email protected]

---------------------------------------------------------------------
TUCOWS Interactive Ltd. o/a  | "A Different Kind of Internet Company"
Internet Direct Canada Inc.  | "FREE BANDWIDTH for Toronto Area IAPs"
5415 Dundas Street West      | http://www.torontointernetxchange.net
Suite 301, Toronto Ontario   | (416) 236-5806	     (T)
M9B-1B5 CANADA               | (416) 236-5804        (F)
---------------------------------------------------------------------