On Mon, 25 Sep 2000, John Payne wrote:
On Sat, Sep 23, 2000 at 08:19:58PM -0700, Troy Davis wrote:
Netscan.org hasn't created a BGP blackhole announcement out of lack of time and because, at least while some significant sites are on it, we doubt many people would use it. Interestingly, looking at the top smurf-announcing ASNs, an average American backbone could block easily half of them and barely notice.
I've been very quiet on the scanning for smurf amps thing... which is contrary to my nature :-)
However, I would really not like to see a BGP based listing of smurf amps based on results from scanning.
E-mailing network operators who have smurf amps that happen to not have been abused (maybe its a /30 with little bandwidth) smacks of UBE to me... and you shouldn't be listing without notification...
-- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 To send me mail, use the address in the From: header
John, The problem is that while some operators may not have been aware of their problem, if they are not aware of the problem at-large, they are, IMHO, not worthy of announcing to the global internet at large and as such, we should not be listening to their announcements. If, once they figure out they're being filtered, they decide to take care of their problems, they will be removed from the BGP feed. The SMURF problem is years old. People who don't look for this on their own networks and prevent it before it starts are AS MUCH if not MORE a part of the problem as the script kiddies. So, to sum it up, I disagree. To back this up, if you find a SMURF amplifier on my network, please feel free to add ip as-path access-list WHATEVER deny 13944 to your filters. We check our network constantly and have NEVER been the originator of, or a transit AS for a SMURF attack of _ANY) size. --- John Fraizer EnterZone, Inc