On Fri, 12 Jun 1998, Michael Dillon wrote:
On Sat, 13 Jun 1998, Jon Lewis wrote:
I just recorded 4.5mb of a smurf attack directed at one of my servers. Here's a list of the networks used as amplifiers and the number of different hosts responding from each network.
This is not true! According to your list the following networks are *NOT* smurf amplifiers. Please check your data before blacklisting innocent people!!!
When did I blacklist anyone? Jim Flemming _is_ in my .procmailrc...so are you taking over for him? All I said was "here's a list of the networks used as amplifiers and the number of different hosts responding..." Obviously, any network responding with 1 ip is not terribly effective as an amplifier, but that doesn't alter the fact that the attacker attempted to use them as smurf amps. I should probably have trimmed all nets responding with fewer than 2 IPs since even a cisco with "no ip directed-broadcast" will generally respond with a source ip of the interface on which the echo request arrived. OTOH, these nets might want to consider additional filtering since they probably get abused in this way with some frequency. Every version of smurf.c I've seen has all the amplifier network addresses hardcoded. BTW...I have a theory for a way to get all or most of the big smurf amp networks fixed real fast...but doing it would probably get me in big trouble. Also...all the people cc'd on that message had nets with numbers of hosts responding in the dozens or more. ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or Network Administrator | drawn and quartered...whichever Florida Digital Turnpike | is more convenient. ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____