RE: SMURF AMPLIFIER BLOCK LIST -- VERY LARGE!!!!!!!!!!!!!!!

[NOC <NOC () mercury balink com>]

Erik,

The script I wrote isn't really that smart... It just looks for two IP's
within the same /24 that were sending some kind of ICMP packet to the
victim machine.  Since NetFlow logs don't break ICMP down to the type
and codes, I had to unilaterally make that decision.  If your network is
clean, I sincerely apologize for any embarrassment or hassle this may
have caused, and I will remove it from the list.

Regards,
Christian

> -----Original Message-----
> From:  Erik Muller [SMTP:nc0773 () corp netcom com]
> Sent:  Thursday, April 30, 1998 12:14 PM
> To:    Martin, Christian
> Subject:       Re: SMURF AMPLIFIER BLOCK LIST -- VERY LARGE!!!!!!!!!!!!!!!
>
>
> > 163.179.230.0
>
> This one's mine... the entire /24 is broken down as /30s, and .255 will 
> respond with nothing more sinister than an ICMP unreachable.  Any details
> on what results you saw that pointed to this network as an offender would 
> be appreciated (since I can't see any danger from it).
>
> ----------------------------------------------------------------------------
> Erik Muller, Network Engineer                         emuller () noc netcom net
> NETCOM Network Services Support        NETCOM On-Line Communication Services
>
>
> On Wed, 29 Apr 1998, Martin, Christian wrote:
>
> > All,
> >
> > Here is my contribution to the block list.  The script that generated
> > this will follow.  It is 'public domain', in that it can be modified,
> > BUT, please give credit where credit is due!