Re: SMURF amplifier block list

[Pete Ashdown <pashdown () xmission com>]

jlixfeld () idirect ca said once upon a time:
> You could always "deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm log" on
> your cores.  Deny ICMP from critical portions of your network.  Create a
> little script which tail -fs the log, parses it, sorts it and counts it.
> If the script counts more then xxx hits on a certain IP or a certain
> number of IPs on your network from the same source or a multiple sources
> on the same network, you have your upstream.  Once you have them, you can
> call them and ask them to do the same until you find the real source.

You might want to stick in an "echo-reply" before the log.  This will
specifically block the smurf, but won't affect any of the other ICMP which
does have a useful purpose.  This of course will stop any of the blocked
addresses from doing outside pings or traceroutes as well.