North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: identify hostname
To add to this, it's very simple to identify smurf amplifiers. All you need to do is sequentially ping possible broadcast addresses within a netblock. If you wrote a threaded application, you could probably have a complete list in a day or two on a modem connection. If you think of how many of these fools have a colo box on someone's network, you'd realize that it would be fairly easy to compile such a list once a month, without anyone noticing the traffic (assume 16 hosts/sec, 3 pings per second @ 56 bytes, plus 8 bytes or ICMP header = 3072 bytes/sec)...there are very few providers who are set up to track ICMP traffic density, and 3k of traffic per second is not going to create a noticable bump on a 45-155 meg interface. The occasional amplifier that is hit will only create increased traffic for the 3 pings recieved, which would easily be logged, but would be too short to even produce a spike on most traffic graphs, or trigger a traffic alarm. just my $.02. -Taz -- Jonathan "Taz" Mischo -- Network Slave -- [email protected] Mindspring Enterprises, Inc. 1430 W. Peachtree St. Suite 400 Atlanta, GA 30309 1.800.719.4664 x2705 404.287.0770 x2705 fax: 404.287.0885 pager: [email protected] M-F2-10pET On Thu, 3 Dec 1998, Brandon Ross wrote: > On Wed, 2 Dec 1998, Phil Howard wrote: > > > AFAIK, today, smurfers are only using *.*.*.255. They would have to > > track a lot more information to use others, so for now I can generally > > expect that deny to prevent us from being an amplifier. > > I'm afraid that in my experience, that's not true at all. I've seen smurf > attacks bounced off of networks as small as /30's and all the way up to > one network that was a /22, as well as everything inbetween, and I'm not > just talking about the last /30 in a /24 either. > > Brandon Ross Network Engineering 404-815-0770 800-719-4664 > Director, Network Engineering, MindSpring Ent., Inc. [email protected] > ICQ: 2269442 > > Stop Smurf attacks! Configure your router interfaces to block directed > broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details. >
|