nanog mailing list archives
Re: SMURF amplifier block list
From: jlixfeld () idirect ca
Date: Sun, 19 Apr 1998 18:56:26 -0400 (EDT)
You could always "deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm log" on your cores. Deny ICMP from critical portions of your network. Create a little script which tail -fs the log, parses it, sorts it and counts it. If the script counts more then xxx hits on a certain IP or a certain number of IPs on your network from the same source or a multiple sources on the same network, you have your upstream. Once you have them, you can call them and ask them to do the same until you find the real source. This will not protect against someone smurfing your dialup users and they can do just as much damamge as the former, but they are more likely to bitch if they can't ping so it's a toss up. On Sat, 18 Apr 1998, Dean Anderson wrote: :At 3:21 PM -0400 4/18/98, Alex P. Rudnev wrote: :>> During an in progress attack, you probably have to take extreme measures, :>Do you remember - it's not attack against you or attack by some of your :>customer's networks used as amplifier, but the attack initiated from your :>own network. You never note such thing withouth some permanent :>measurement. :> :>It's why we saw this 100% helpless against the SMURF's. : :But to protect your own network, all you need is the access rule I gave. :You know your own broadcast address and netmask, and can put in a rule to :block. : :You just can't block the presumed broadcast address used by other peoples :networks. : :Logging attempted attacks which are blocked can't really be done with a :cisco. You need something to monitor the line coming in. : : --Dean : : :++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ : Plain Aviation, Inc dean () av8 com : LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com : We Make IT Fly! (617)242-3091 x246 :++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ : : -- Regards, Jason A. Lixfeld jlixfeld () idirect ca iDirect Network Operations jlixfeld () torontointernetxchange net --------------------------------------------------------------------- TUCOWS Interactive Ltd. o/a | "A Different Kind of Internet Company" Internet Direct Canada Inc. | "FREE BANDWIDTH for Toronto Area IAPs" 5415 Dundas Street West | http://www.torontointernetxchange.net Suite 301, Toronto Ontario | (416) 236-5806 (T) M9B-1B5 CANADA | (416) 236-5804 (F) ---------------------------------------------------------------------
Current thread:
- Re: SMURF amplifier block list, (continued)
- Re: SMURF amplifier block list jlixfeld (Apr 20)
- Re: SMURF amplifier block list Alex P. Rudnev (Apr 20)
- Spoofed Packet Tracker (Was Re: SMURF amplifier block list) Jared Mauch (Apr 20)
- Message not available
- Re: SMURF amplifier block list Jay R. Ashworth (Apr 19)
- Re: SMURF amplifier block list jlixfeld (Apr 20)
- Re: SMURF amplifier block list Dean Anderson (Apr 18)
- Re: SMURF amplifier block list Alex P. Rudnev (Apr 18)
- Re: SMURF amplifier block list Dean Anderson (Apr 18)
- Re: SMURF amplifier block list Alex P. Rudnev (Apr 18)
- Re: SMURF amplifier block list Dean Anderson (Apr 18)
- Re: SMURF amplifier block list jlixfeld (Apr 20)
- Re: SMURF amplifier block list Pete Ashdown (Apr 20)
- Re: SMURF amplifier block list Jason Lixfeld (Apr 24)
- Filtering ICMP (Was Re: SMURF amplifier block list) Mark Whitis (Apr 20)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Marc Slemko (Apr 20)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Michael Dillon (Apr 20)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Mark Whitis (Apr 22)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Michael Dillon (Apr 20)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Michael Shields (Apr 22)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Alex P. Rudnev (Apr 21)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) D'Arcy J.M. Cain (Apr 22)