On Sun, Apr 12, 1998 at 01:20:02AM -0400, Jon Lewis wrote:
On Sun, 12 Apr 1998, Karl Denninger wrote:
And you think they don't already HAVE the list?
Where do you think WE got it from? From people smurfing us!
The vandals ALREADY HAVE the list. I know this because we were attacked
But posting the list of blackholed sites publicly gives the attackers a list of sites not to bother trying to use...so they keep coming out with new&improved versions of smurf using networks that actually work.
The goal is to make the number of possible sources ZERO. If ISPs around the world refuse to forward directed broadcasts, it WILL be zero. If a provider loses connectivity to significant parts of the network, they'll fix their fscking routers. I'll note that one of the worst offenders right now, and the biggest sources, is APNIC's netblocks. There are huge, multi-T3-connected, smurf amplifiers on some of those network numbers. You'll find that in 203.64 there are multiple high-bandwidth sources with ENABLED directed broadcasts. Guess what? That entire /16 can't talk to us any more. I've tried talking to APNIC with no response. I've emailed every contact I can think of - nothing. Now I've told them to fsck off. They can either fix the damn thing or they can stuff connectivity to us up their behinds. I did this to huge parts of UUNET's infrastructure a few months ago. It *DID* get their attention, and smartly. At one time, not long back, their entire New York POP was one huge smurf amplifier of the worst kind - multiple MAX TNTs on 100BaseTX, all with directed broadcasts possible into their NICs. Ouch. We saw *sustained* loads in excess of 100Mbps coming from there. I blocked a /16, and two days later their CUSTOMERS started calling us asking why they couldn't talk to us any more. We told them why. Less than a week later it magically "fixed itself", although UUNET denied that they changed anything or that it was ever broken. Yeah, right. At least the problem got solved. Bluntly, I've had enough and so have my customers. Our IRC server is the recipient of daily attacks. Our *customers* DS1s are getting hit as well. While I can fix the IRC server problem by putting it on a Switched 100BaseTX port, that's not really a fix -- that's just making the firehose big enough that the jerks can't fill it. No more Mr. Nice Guy. I don't like getting paged at 3:00 AM because some two-bit punk got Klined off our IRC server for running clonebots and decided to smurf us in retaliation. My fix is to render all connectivity to and from the offending netblocks VOID until the owners fix their routers. These folks, by the way, are NOT clueless - they are DELIBERATELY ignoring the problem. The folks who can source significant smurfs today are NOT Joe's T1 and Grill. They are NATIONAL and INTERNATIONAL ISPs who damn well ought to know how to prevent this and why they should. The guy with a T1 can't hit us hard enough to even show up on our monitors. To make my blacklist you have to hit me with enough bandwidth that we *see* the problem, and that means you're at least mid-fractional-DS3 connected. If they're permitting this kind of behavior to take place *IT IS THEIR FAULT*, and has to be due to either deliberate lack of action or gross negligence. I'll KEEP adding netblocks to that access group as required, and keep posting the list. And I won't remove a single network from there until I've VERIFIED that they can no longer be used for this kind of vandalism. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost