Or, call Cisco.. press 1 and tell them you are being smurfed. They will work with specialists and authorities to track down the attacker and rest assured, they will be dealth with. One thing I like about Cisco, is they don't fsck around!! They get right down to business. On Sun, 12 Apr 1998, Alex P. Rudnev wrote: :Sorry, you don't understand. : :The worst thing in the smurf attack is not the attack itself (small IP :flood, what's it? now the hackers have not really big amlifiers at their :lists), but the fact the attacker originated source is faded usially. The :best way to found the source of such attack is to trace echo-request :packets directed to one or more smurf-amplified networks. : :If some (even some) network anounce _we keep on-line list of :smurf-amplified address and control all attempts to send packets to this :networks_, do you suppose hackers would work through this network? Any :attempt to send smurf cause them to be discovered and disconnected; even :if it's only anouncement, not real control, it's enougph to prevent a lot :of hackets from the such attempts. : :The only way to fight against any kind of such attacks is to be sure any :intruder should be fixed and disconnected in a few minutes. If I proclaim :(anyone who attempt to break CITYLINE.RU ISP here should be killed by the :gang of big and gloomy boys) do you think anyone in Moscow attampts to :break CITYLINE? Even if he don't believe to this anouncement - but 10% :for this to be true is enougph for hacker to be stopped. : :Just this case. While we are not seing every day _XXX was catched and :disconnected due to attempt to run SMURF_ you can found any new ways to :defend yourself - no matter, they discover new ways to attack you. If :they think they can be catched - it's enougph. : :Remember, this intruders use small ISP as their service providers, not :huge MCI or SPRINT. : :And you even don't need the full list of such amplified addresses to open :some kind of monitoring against the smurfers. : :Btw, if someone cry here _I am smurfed from XX.XX.XX.XX address, what :should you do to help him? I guess you should check (by IP accounting if :you have it; by NetFlow accounting if you have it; or close you boredom :and go home if you have not any) _are you sure the echo-request :packets to this broadcast addresses are not originated from YOUR customer_. : : : :> :> > May be, someone will maintain such lists? First, it allow to fix smurf :> > source by 'log' option in the CISCO list; second, it'll prefere some :> > attacks. :> :> If Karl will supply us the IP address of a non-critical machine in his :> network then we only need one list maintained. Anyone can then add new :> networks to Karl's list simply by smurfing his non-critical machine and it :> will still meet his criteria of a verified atack. :> :> -- :> Michael Dillon - Internet & ISP Consulting :> http://www.memra.com - E-mail: michael@memra.com :> :> :> : :Aleksei Roudnev, Network Operations Center, Relcom, Moscow :(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) :(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax) : -- Regards, Jason A. Lixfeld jlixfeld@idirect.ca System Administrator [L5] jlixfeld@torontointernetxchange.net --------------------------------------------------------------------- TUCOWS Interactive Ltd. o/a | "A Different Kind of Internet Company" Internet Direct Canada Inc. | "FREE BANDWIDTH for Toronto Area IAPs" 5415 Dundas Street West | http://www.torontointernetxchange.net Suite 301, Toronto Ontario | (416) 236-5806 (T) M9B-1B5 CANADA | (416) 236-5804 (F) ---------------------------------------------------------------------