On Sat, Apr 11, 1998 at 02:31:22PM -0700, Sean M. Doran wrote:
| Posting it here weekly only provides a mechanism for the littele fsckers | that smurf to gain an up to date list of sites to bounce from.
And consequently increases the liklihood that more networks will refuse traffic to or from these networks, which in turn increases the pressure on these sites to wonder what is happening to their connectivity and how to repair it. Which may just solve the problem.
This is a monumental admission: I think Karl is doing the right thing.
Sean.
Correct. Note that the way you GET ON THIS LIST is to have BEEN a smurf amplifier. That is, not a "suspected" one, not one we probed, but a PROVEN source of a smurf amplification. And guess how I know that? I'll tell you - one or more of our customer or internal machines was rendered useless until I identified and blocked EACH of the networks on the list. That is, all of these are PROVEN guilty, not suspected guilty. This also means that any claim that I'm "helping the bad guys" is baloney - the bad guys, by definition, ALREADY USED THESE NETWORKS to hit us or one of our customers - that's how they got on the list in the first place! The only effective means I have to stop this is to start refusing transit to packets with a source address in the amplifier network(s). Our core circuits can handle even a dedicated smurfer - there are few who can hit us with enough punch to melt our core circuits (multiple DS3s are like that). Our customers, most of whom are on T1s, aren't so lucky - they can be rendered disconnected quite easily, as can an internal machine on a 10Mbps switched port. Blocking these at ingress to our core is enough; not only do we stay operational with minimal impact, but the intended target suffers no ill effects - and as a consequence, the people doing this move on to more "juicy" targets where they can actually cause some damage. If any significant number of providers start blocking these networks, the people who own them will have to fix the configuration problems if they want to continue to be able to talk to the Internet as a whole. THAT is the intent of the blacklisting around here. Our NOC crew has been instructed that any complaint from these address ranges is to be referred directly to me, and that the standard answer is "you're a smurf amplifier and while Karl will talk to you, if you're calling for any purpose other than to tell us that you've fixed it you're wasting your dimes". -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost