Re: SMURF AMPLIFIER BLOCK LIST -- VERY LARGE!!!!!!!!!!!!!!!
Well, the ranges...
164.128.116.0 164.128.119.0 164.128.122.0 164.128.123.0 164.128.57.0 164.128.81.0
...are ours, and they are used in our backbone infrastructure. I was a bit surprised to see some of our backbone addresses on the list, because a few weeks back I went around all of the potential amplifiers and configured no ip directed-broadcast. I turns out that the ranges mentioned are all used to address serial access lines to customers - they are all /30 or /32. I have a bit of a problem with blocking of address ranges that really cannot be used as significant amplifiers. We take our responsibilities an ISP seriously: we have blocked all LANs that are connected by fat pipes and/or have large amplification factors, and we have started configuring 'no ip directed-broadcast' on ALL interfaces as a matter of standard. But we have several hundred legacy /30 interfaces that can't be reconfigured overnight. While I support the sentiment that ISPs responsible for large amplifiers should be blocked until they take action, I feel that the decision to block an address range should actually be tempered by an assessment of how damaging an amplifier the address block represents. If a smurf attack is detected from an address range, is it really that difficult to check what the amplification factor is before deciding if it should go onto a blocking list? I would certainly suggest that /30s should not be blocked, since they are so numerous and the damage they can cause is limited. How about a compromise: two lists - one of known smurf amplifier ranges > /30, which are blocked, and another of ranges where the amplifiers are =< /30, and which are no blocked, but simply publicised? As another thought, maybe what we need is a rough 'smurf effectivness metric' composed of amplification factor and access bandwidth. If address ranges only get onto the list because an attack has been sourced from them, then it should be possible to approximate these numbers. Phil At 08:11 PM 4/29/98 -0400, Martin, Christian wrote:
All,
Here is my contribution to the block list. The script that generated this will follow. It is 'public domain', in that it can be modified, BUT, please give credit where credit is due!
!!!!!NOTE: This script assumes that the offending bounce sites are /24 blocks. It isn't that smart yet, but if someone can figure out a way to glean more info, modify the script and repost.
...previous message truncated... ______________________________________________________________ Philip Bridge ++41 31 688 8262 bridge@ip-plus.net www.ip-plus.ch PGP: DE78 06B7 ACDB CB56 CE88 6165 A73F B703
participants (1)
-
philip bridge