To add to this, it's very simple to identify smurf amplifiers. All you need to do is sequentially ping possible broadcast addresses within a netblock. If you wrote a threaded application, you could probably have a complete list in a day or two on a modem connection. If you think of how many of these fools have a colo box on someone's network, you'd realize that it would be fairly easy to compile such a list once a month, without anyone noticing the traffic (assume 16 hosts/sec, 3 pings per second @ 56 bytes, plus 8 bytes or ICMP header = 3072 bytes/sec)...there are very few providers who are set up to track ICMP traffic density, and 3k of traffic per second is not going to create a noticable bump on a 45-155 meg interface. The occasional amplifier that is hit will only create increased traffic for the 3 pings recieved, which would easily be logged, but would be too short to even produce a spike on most traffic graphs, or trigger a traffic alarm. just my $.02. -Taz -- Jonathan "Taz" Mischo -- Network Slave -- supertaz@mindspring.net Mindspring Enterprises, Inc. 1430 W. Peachtree St. Suite 400 Atlanta, GA 30309 1.800.719.4664 x2705 404.287.0770 x2705 fax: 404.287.0885 pager: pagetaz@netops.mindspring.net M-F2-10pET On Thu, 3 Dec 1998, Brandon Ross wrote:

On Wed, 2 Dec 1998, Phil Howard wrote:

...

AFAIK, today, smurfers are only using *.*.*.255. They would have to track a lot more information to use others, so for now I can generally expect that deny to prevent us from being an amplifier.

I'm afraid that in my experience, that's not true at all. I've seen smurf attacks bounced off of networks as small as /30's and all the way up to one network that was a /22, as well as everything inbetween, and I'm not just talking about the last /30 in a /24 either.

Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com ICQ: 2269442

Stop Smurf attacks! Configure your router interfaces to block directed broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.