On Wed, Apr 03, 2002 at 06:22:01PM +0100, Avleen Vig wrote:
On Wed, 3 Apr 2002, batz wrote:
Personally, I would like to see a mixture of the MAPS RBL and aris.securityfocus.com available, where emerging hostile netblocks can be blackholed for short periods of time using attack information gathered from and coroborated by a vast array of diverse sources.
Have a look at SAFE (url in sig). We detect smurf amplifiers and I'm currently looking at ways to export data to companies regarding large smurf amplifiers (>x250 amplification) who refuse to close after X number of warnings.
I expect it will run on a free, but subscribed + authenticated basis (ie, a company subscribes and gives the IP's of their DNs servers and those servers are authorized to do lookups, but script kiddies cannot).
Many a year ago I ran a "scan and bitch" service for smurf amps (afaik it was the first, predated netscan.org and powertech.no). Measuring raw packet multiplications is really a terribly incorrect method to measure the "badness" of a smurf amplifier. People routinely have T1's replying 50,000 times, and other such junk. You might be better off going back through all the broadcasts you got positive hits from, and try sending bigger packets and measuring actual received bandwidth. You'll find that multiplication has almost no bearing in predicting the bandwidth of an attack. As for your service listing them... Smurfs aren't spam, so I'm not sure what you plan to accomplish by making the data available via DNS, it would really only be useful as a BGP feed. Even then, it's usefulness is limited. I suppose you could null route traffic to specific broadcast addresses to prevent people originating smurfs from your network with minimal impact on legit services, or if you are a big transit provider with balls you could apply it to all your customers. There is no protocol (disclaimer: that I'm aware of) for distributing IP lists that could be filtered by source address, let alone other more intelligent things like distributing firewall rulesets so you could pick off only the echo replies, BUT MAYBE THERE SHOULD BE. <-- HINT! -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)