North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical


  • From: NOC
  • Date: Thu Apr 30 16:58:11 1998


The script I wrote isn't really that smart... It just looks for two IP's
within the same /24 that were sending some kind of ICMP packet to the
victim machine.  Since NetFlow logs don't break ICMP down to the type
and codes, I had to unilaterally make that decision.  If your network is
clean, I sincerely apologize for any embarrassment or hassle this may
have caused, and I will remove it from the list.


>-----Original Message-----
>From:	Erik Muller [SMTP:[email protected]]
>Sent:	Thursday, April 30, 1998 12:14 PM
>To:	Martin, Christian
>Subject:	Re: SMURF AMPLIFIER BLOCK LIST -- VERY LARGE!!!!!!!!!!!!!!!
>This one's mine... the entire /24 is broken down as /30s, and .255 will 
>respond with nothing more sinister than an ICMP unreachable.  Any details
>on what results you saw that pointed to this network as an offender would 
>be appreciated (since I can't see any danger from it).
>Erik Muller, Network Engineer                         [email protected]
>NETCOM Network Services Support        NETCOM On-Line Communication Services
>On Wed, 29 Apr 1998, Martin, Christian wrote:
>> All,
>> Here is my contribution to the block list.  The script that generated
>> this will follow.  It is 'public domain', in that it can be modified,
>> BUT, please give credit where credit is due!