By looking at netflow stats or ip accounting I can usually find the host being attacked by sorting the list by destination. The source will point to hosts on a net being used as a smurf packet replicator, giving a hint who might need to be contacted to shut off directed broadcasts. Netflow stats even show it as being ICMP ECHO traffic if you look at the numeric codes in the flow export. Once you know who is being attacked, you can call your upstream providers or peers and have it traced, but if you want the traffic stopped and the attack is flooding your pipe, about all you can do it stop the traffic from getting to you, so if you are BGP peering with your neighbors, withdraw the network annoucement for the victim and the rest of your customers can continue to get their trafic. This doesn't help trace in, although give how older cisco IOS code reacts to tossing out unroutable packets, the intermediate hosts may find they have a problem when their router CPU use hits 100%. I too would rather have a good quick way to nail the people initiating this sort of attack. However I have also found that my customers who are victims are seldom random and are usually doing something to attract the attack, like running IRC bots or running a sendmail capable of being a SPAM relay. However I don't approve of vigilantism. This stuff can be taken care of in other ways. On Thu, 26 Mar 1998, Phil Howard wrote:
You could just withdraw your BGP announcement for the net being attacked and suddenly the attack packets will die at the first router without a default route on their way to the victim.
...along with everything else. Do you have some way of determining which router that is?
-- Phil Howard | stop6729@s5p0a6m6.org w2x8y9z0@lame1ads.net eat15me7@no6place.net phil | no12ads7@nowhere0.com die6spam@nowhere3.edu no70ads3@dumb1ads.com at | eat06me3@no20ads1.edu crash719@no6where.com stop4909@anywhere.net milepost | no12ads2@anywhere.org stop2ads@spam7mer.net no0spam0@no0where.edu dot | blow0me5@spam5mer.org end6ads8@lame4ads.org no3way57@no4where.org com | stop7211@no8where.net suck8it5@dumbads3.net eat69me1@no16ads1.edu
-- Dan Boehlke, Senior Network Engineer M R N e t Internet: dboehlke@mr.net A MEANS Telcom Company Phone: 612-362-5814 2829 SE University Ave. Suite 200 WWW: http://www.mr.net/~dboehlke/ Minneapolis, MN 55414