In article <Pine.BSI.3.93.980412085359.7879a-100000@sidhe.memra.com>, Michael Dillon <michael@memra.com> wrote:
If Karl will supply us the IP address of a non-critical machine in his network then we only need one list maintained. Anyone can then add new networks to Karl's list simply by smurfing his non-critical machine and it will still meet his criteria of a verified atack.
Careful. I could, from a well-connected machine, launch a stream of forged ICMP echo replies from various 199.166.227.x addresses. This would cause it to look like junction.net was the source of a smurf, and cause them to be blocked. Well, in the case of junction.net, there is no such forgery needed. ~$ host www.memra.com www.memra.com A 199.166.227.56 ~$ ping 199.166.227.255 PING 199.166.227.255 (199.166.227.255): 56 data bytes 64 bytes from 134.87.109.226: icmp_seq=0 ttl=243 time=110.2 ms 64 bytes from 199.166.227.41: icmp_seq=0 ttl=51 time=111.0 ms (DUP!) 64 bytes from 199.166.227.32: icmp_seq=0 ttl=242 time=112.2 ms (DUP!) 64 bytes from 199.166.227.54: icmp_seq=0 ttl=51 time=112.8 ms (DUP!) 64 bytes from 199.166.227.5: icmp_seq=0 ttl=51 time=113.7 ms (DUP!) 64 bytes from 199.166.227.27: icmp_seq=0 ttl=51 time=114.3 ms (DUP!) 64 bytes from 199.166.227.22: icmp_seq=0 ttl=51 time=115.0 ms (DUP!) 64 bytes from 199.166.227.1: icmp_seq=0 ttl=51 time=115.7 ms (DUP!) 64 bytes from 199.166.227.12: icmp_seq=0 ttl=242 time=116.4 ms (DUP!) 64 bytes from 199.166.227.19: icmp_seq=0 ttl=51 time=117.0 ms (DUP!) 64 bytes from 199.166.227.21: icmp_seq=0 ttl=242 time=117.7 ms (DUP!) 64 bytes from 199.166.227.28: icmp_seq=0 ttl=51 time=118.3 ms (DUP!) 64 bytes from 199.166.227.26: icmp_seq=0 ttl=242 time=119.0 ms (DUP!) --- 199.166.227.255 ping statistics --- 1 packets transmitted, 1 packets received, +12 duplicates, 0% packet loss round-trip min/avg/max = 110.2/114.8/119.0 ms -- Shields, CrossLink.