North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: SMURF amplifier block list
[email protected] said once upon a time: > >You could always "deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm log" on >your cores. Deny ICMP from critical portions of your network. Create a >little script which tail -fs the log, parses it, sorts it and counts it. >If the script counts more then xxx hits on a certain IP or a certain >number of IPs on your network from the same source or a multiple sources >on the same network, you have your upstream. Once you have them, you can >call them and ask them to do the same until you find the real source. You might want to stick in an "echo-reply" before the log. This will specifically block the smurf, but won't affect any of the other ICMP which does have a useful purpose. This of course will stop any of the blocked addresses from doing outside pings or traceroutes as well.