Re: identify hostname

• From: Pete Kruckenberg
• Date: Wed Dec 02 14:15:04 1998

> I do have an access list deny for incoming destinations to *.*.*.255
> since I do know that the only customer we have with larger than a /24
> from us (via cw.net) also happens to have nothing larger than /26 in
> their network.  AFAIK, today, smurfers are only using *.*.*.255.  They
> would have to track a lot more information to use others, so for now I
> can generally expect that deny to prevent us from being an amplifier. 

It's not difficult to find subnet broadcast addresses, since few routers
(if they even support it) are configured to filter ICMP replies. If there
isn't already software out there, it will take all of a few hours to add
broadcast-finding code to the smurfing software in existence.

I find the parallel between Internet attacks and terrorist activities very
interesting. Though they are obviously not related as far as humanitarian
issues go, they both require so much effort to track and prevent one
wonders if it's even possible. When you consider that a single 28.8k (or
even 2.4k, I guess) dial-up connection can cripple whole organizations,
and the only defense is to get every router to filter or at least block
directed broadcasts, it's very frustrating. 

Similar to the scenario that a single person with a few small devices or
an aerosol can can maim or kill tens or hundreds of people. The most
frustrating difference is that I suspect that most terrorists have some
concept of what they're doing and how it impacts their victims; I suspect
that many of the people who smurf or mail bomb or ping-flood or crack a
system have little understanding of the real impact of their actions (this
based on the number of times I've seen someone hack a Unix machine and get
root access, then not know what to do and leave tracks all over the
place--best when they use a Linux cracker kit to break into a BSDI
machine, and then they don't know how to proceed). 

Obviously a lot of these issues could be resolved if ISP/NSP's installed
address-verification filters in the core and at the edges of their
networks, but that translates into more load for already-loaded routers,
and who's going to do that. And again, the scaling and management issues,
not to mention the fact that many organizations may not have a capable
router or the expertise to do this.

And as long as it's someone else, it's just news and never would happen to
you anyways... 

Pete. 

• Follow-Ups:
  • Re: identify hostname Roeland M.J. Meyer

• References:
  • Re: identify hostname Phil Howard

• Prev by Date: Re: identify hostname
• Next by Date: Winter NANOG meeting
• Date Index
• Thread Index
• Author Index
• Historical