North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: SMURF amplifier block list
On Sun, 19 Apr 1998, Jeremiah Kristal wrote: > On Sat, 18 Apr 1998, Alex P. Rudnev wrote: > > > I know that this week there was a smurf attack that was tracked to the > source. I'm not sure what will happen to him. Hopefully someone from the > NOC that caught him will let us know. That was us, and we do plan on prosecuting. We're in the process of collecting information now. Something that happened during this attack should be a great concern to all of us. In addition to the usual broadcast addresses being used as amplifiers for this smurf attack, the attacker also used network addresses. It seems that many stacks and routers will respond to a packet with a network address in the same way as a broadcast address. Luckily Cisco's "no ip directed-broadcast" already took that into account and blocks those packets, however, if you don't have a Cisco and are having to configure manual filters to avoid being an amplifier site, you _must_ filter out network addresses as well as broadcast addresses. Please, spread the word. P.S. I'd like to publicly thank Icon, Digex, and BBN as well as the EPA (yes folks, the Environmental Protection Agency, they were being used as an amplifier in this attack) for their help in tracing this attack to the source. Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. [email protected] Mosher's Law of Software Engineering: Don't worry if it doesn't work right. If everything did, you'd be out of a job.