North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SMURF amplifier block list
During an in progress attack, you probably have to take extreme measures, but they shouldn't be generally applied. No one wants to lose addresses that *might* be a broadcast address in some possible netmask. /24 is maybe common, but is not the only netmask. And the people who don't use it won't want you to break their customers networks. --Dean At 2:51 PM -0400 4/18/98, Alex P. Rudnev wrote: >I am talking about boths blocking exterior smurfers from usage your >networks as amplifier, and blocking your smurfers from sending such >packets by your network. Second task allow you to cutch any smurfer in >your own network in a 5 minutes. > >Just now the only thing big ISP can do in case of SMURF is to block >ECHO_REPLY packets to some attacked networks; it results from preventing >any PING tests from this networks. Why don't sacrify some addresses >(*.255, really) from be pinged at all, but save your from be the source >or amplifier of the SMURF? > >And then, if you should not block by 'log' such packets you'll have the >log records about your own smurfers withouth loosing any ICMP >capabilities at all. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc [email protected] LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com We Make IT Fly! (617)242-3091 x246 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|