Hi folks, I found a small list of smurf relays in a hacked account today and managed to mail all those folks privately asking that they fix their routers. I was reasonably proud of myself. Then I found this list, full of 175 different networks. Nearly all the ones I tried work, and the ones that didn't work didn't respond on other IPs either, so I'm assuming unreachability. This is a fresh list from an active smurfer, however, so it does work. (Boy, does it work. }:P ) Since it would take me upwards of two weeks just to mail these folks - unless I put off work, school, and the like - I determined it would be much better to post the list to nanog and see what doesn't work after a few weeks. (Translation: there is no way in hell I'm mailing all these folks, not even with a script to try and parse all the internic/apnic/ whatever whois outputs.) Yes, I realize this means that The Scum will start smurfing like crazy; however, this also means that those networks will get fixed quicker when they realize their outbound link is completely saturated with ECHO_REPLY. Please pass this around, call folks you know, call folks you don't know, do whatever it takes to get these folks to fix their routers. I have spent the past week dealing with various smurfs taking down ISPs, and I am getting extremely sick of it. (Note, if you're fixed, and you're on this list, I apologize; again, I don't have the time to check each and every address.) -dalvenjah 141.161.19.0 141.164.240.0 142.3.0.0 168.198.79.255 168.208.21.255 168.216.14.255 168.84.3.255 168.84.7.255 193.190.1.255 193.190.10.255 193.190.4.255 193.190.8.255 193.190.9.255 193.226.100.255 193.38.83.255 193.38.84.255 193.38.85.255 193.64.68.255 193.76.0.255 194.111.55.255 194.152.36.255 194.215.85.255 194.251.75.255 194.28.6.255 199.171.110.255 199.171.198.255 200.0.166.255 200.19.104.255 200.23.51.255 200.230.142.255 200.230.143.255 200.38.168.255 200.5.128.255 200.5.129.255 202.184.18.255 202.184.25.255 202.45.53.255 202.45.59.255 202.45.61.255 203.108.227.255 203.11.118.255 203.150.240.255 203.22.70.255 203.64.170.255 204.101.117.255 204.115.171.255 204.116.248.255 204.141.218.255 204.147.235.255 204.155.99.255 204.161.118.255 204.161.61.255 204.166.161.255 204.166.161.255 204.167.48.255 204.17.178.255 204.171.179.255 204.177.145.255 204.187.84.255 204.191.160.255 204.191.212.255 204.199.101.255 204.199.102.255 204.199.106.255 204.199.107.255 204.208.154.255 204.208.155.255 204.216.139.255 204.216.139.255 204.216.86.255 204.222.194.255 204.222.195.255 204.228.161.255 204.229.220.255 204.229.221.255 204.229.222.255 204.229.43.255 204.229.45.255 204.233.137.255 204.235.79.255 204.235.79.255 204.242.172.255 204.242.172.255 204.244.155.255 204.249.16.255 204.249.16.255 204.26.102.255 204.26.102.255 204.26.103.255 204.26.104.255 204.26.109.255 204.29.160.255 204.29.160.255 204.30.35.255 204.30.35.255 204.31.135.255 204.31.137.255 204.31.137.255 204.33.249.255 204.34.141.255 204.34.141.255 204.64.182.255 204.64.22.255 204.71.176.255 204.71.179.255 204.71.179.255 204.71.180.255 204.71.180.255 204.71.191.255 204.71.243.255 204.80.124.255 204.96.225.255 205.136.165.255 205.148.1.255 205.172.3.255 205.178.8.255 205.184.109.255 205.197.176.255 205.203.72.255 205.211.168.255 205.218.18.255 205.232.119.255 205.232.191.255 205.232.8.255 205.252.144.255 205.67.128.255 206.110.105.255 206.129.95.255 206.170.24.255 206.186.126.255 206.204.56.255 206.219.101.255 206.219.102.255 206.31.88.255 206.39.100.255 206.39.101.255 206.39.72.255 206.39.75.255 206.39.76.255 206.39.77.255 206.39.78.255 206.39.79.255 206.39.81.255 206.39.91.255 206.39.92.255 206.39.93.255 206.39.98.255 206.39.99.255 206.72.47.255 207.65.122.255 208.128.161.255 208.128.185.255 208.132.236.255 208.132.69.255 208.145.80.255 208.154.16.255 208.154.18.255 208.154.23.255 208.193.238.255 208.20.149.255 208.202.212.255 208.24.87.255 209.160.26.255 209.206.19.255 209.206.21.255 209.206.22.255 209.49.157.255 209.63.185.255 209.66.101.255 209.7.76.255 209.81.151.255 209.84.61.255 209.88.144.255 -- Dalvenjah FoxFire (aka Sven Nielsen) Fundamentalist Agnostic: "I don't Founder, the DALnet IRC Network know, and neither do you!" e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
Its not hard to block /24's at the core of your network What about subnet assignments to customers using CPE that do not have directed broadcast. Sure you can setup special filters for each subnet - I'd find it hard to believe most large network operators do this because of the admin overhead and low(er) potential impact from amplifiers. Stb On Fri, 29 May 1998, Dalvenjah FoxFire wrote:
Hi folks,
I found a small list of smurf relays in a hacked account today and managed to mail all those folks privately asking that they fix their routers. I was reasonably proud of myself.
Then I found this list, full of 175 different networks. Nearly all the ones I tried work, and the ones that didn't work didn't respond on other IPs either, so I'm assuming unreachability. This is a fresh list from an active smurfer, however, so it does work. (Boy, does it work. }:P )
Since it would take me upwards of two weeks just to mail these folks - unless I put off work, school, and the like - I determined it would be much better to post the list to nanog and see what doesn't work after a few weeks. (Translation: there is no way in hell I'm mailing all these folks, not even with a script to try and parse all the internic/apnic/ whatever whois outputs.)
Yes, I realize this means that The Scum will start smurfing like crazy; however, this also means that those networks will get fixed quicker when they realize their outbound link is completely saturated with ECHO_REPLY.
Please pass this around, call folks you know, call folks you don't know, do whatever it takes to get these folks to fix their routers. I have spent the past week dealing with various smurfs taking down ISPs, and I am getting extremely sick of it.
(Note, if you're fixed, and you're on this list, I apologize; again, I don't have the time to check each and every address.)
-dalvenjah
141.161.19.0 141.164.240.0 142.3.0.0 168.198.79.255 168.208.21..255 168.216.14.255 168.84.3.255 168.84.7.255 193.190.1.255 193.190.10.255 193.190.4.255 193.190.8.255 193.190.9.255 193.226.100.255 193.38.83.255 193.38.84.255 193.38.85.255 193.64.68.255 193.76.0.255 194.111.55.255 194.152.36.255 194.215.85.255 194.251.75.255 194.28.6.255 199.171.110.255 199.171.198.255 200.0.166.255 200.19.104.255 200.23.51.255 200.230.142.255 200.230.143.255 200.38.168.255 200.5.128.255 200.5.129.255 202.184.18.255 202.184.25.255 202.45.53.255 202.45.59.255 202.45.61.255 203.108.227.255 203.11.118.255 203.150.240.255 203.22.70.255 203.64.170.255 204.101.117.255 204.115.171.255 204.116.248.255 204.141.218.255 204.147.235.255 204.155.99.255 204.161.118.255 204.161.61.255 204.166.161.255 204.166.161.255 204.167.48.255 204.17.178.255 204.171.179.255 204.177.145.255 204.187.84.255 204.191.160.255 204.191.212.255 204.199.101.255 204.199.102.255 204.199.106.255 204.199.107.255 204.208.154.255 204.208.155.255 204.216.139.255 204.216.139.255 204.216.86.255 204.222.194.255 204.222.195.255 204.228.161.255 204.229.220.255 204.229.221.255 204.229.222.255 204.229.43.255 204.229.45.255 204.233.137.255 204.235.79.255 204.235.79.255 204.242.172.255 204.242.172.255 204.244.155.255 204.249.16.255 204.249.16.255 204.26.102.255 204.26.102.255 204.26.103.255 204.26.104.255 204.26.109.255 204.29.160.255 204.29.160.255 204.30.35.255 204.30.35.255 204.31.135.255 204.31.137.255 204.31.137.255 204.33.249.255 204.34.141.255 204.34.141.255 204.64.182.255 204.64.22.255 204.71.176.255 204.71.179.255 204.71.179.255 204.71.180.255 204.71.180.255 204.71.191.255 204.71.243.255 204.80.124.255 204.96.225.255 205.136.165.255 205.148.1.255 205.172.3.255 205.178.8.255 205.184.109.255 205.197.176.255 205.203.72.255 205.211.168.255 205.218.18.255 205.232.119.255 205.232.191.255 205.232.8.255 205.252.144.255 205.67.128.255 206.110.105.255 206.129.95.255 206.170.24.255 206.186.126.255 206.204.56.255 206.219.101.255 206.219.102.255 206.31.88.255 206.39.100.255 206.39.101.255 206.39.72.255 206.39.75.255 206.39.76.255 206.39.77.255 206.39.78.255 206.39.79.255 206.39.81.255 206.39.91.255 206.39.92.255 206.39.93.255 206.39.98.255 206.39.99.255 206.72.47.255 207.65.122.255 208.128.161.255 208.128.185.255 208.132.236.255 208.132.69.255 208.145.80.255 208.154.16.255 208.154.18.255 208.154.23.255 208.193.238.255 208.20.149.255 208.202.212.255 208.24.87.255 209.160.26.255 209.206.19.255 209.206.21.255 209.206.22.255 209.49.157.255 209.63.185.255 209.66.101.255 209.7.76.255 209.81.151.255 209.84.61.255 209.88.144.255
-- Dalvenjah FoxFire (aka Sven Nielsen) Fundamentalist Agnostic: "I don't Founder, the DALnet IRC Network know, and neither do you!"
e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
Dalvenjah FoxFire wrote: [snip]
194.152.36.255
[snip] OOPS! That is one of our customers; i thought that i fixed all with "no ip directed-broadcast" well. does anybody know how to implement a filter with is denying the broadcast on a Ascend MAX 4000 Series (or even Pipe 50) because they don't have ciscos :-((( Any help appreciated! Jan Czmok Senior Network Engineer IPF.NET
The v6.0.2 software on the MAX lets you block directed broadcasts (last option under the ethernet config). That version has been very stable for me...does NSSA in OSPF too. Brian
OOPS! That is one of our customers; i thought that i fixed all with "no ip directed-broadcast" well. does anybody know how to implement a filter with is denying the broadcast on a Ascend MAX 4000 Series (or even Pipe 50) because they don't have ciscos :-(((
Any help appreciated!
Jan Czmok Senior Network Engineer IPF.NET
That is one of our customers; i thought that i fixed all with "no ip directed-broadcast" well. does anybody know how to implement a filter with is denying the broadcast on a Ascend MAX 4000 Series (or even Pipe 50) because they don't have ciscos :-(((
upgrade to 6.0.x Ethernet->ModConfig->ReplyDirectBroadcast ->ForwardDirectBroadcast Ciao Bernhard -- Bernhard Kroenung, Bahnhofstr 8, 36157 Ebersburg/Rhoen, Germany +49 6656 910101 @work : bernhard@kroenung.de Work: +49 661 9011777 @home : horke@Rhoen.De @school : Bernhard.Kroenung@Informatik.FH-Fulda.De
If you took the time to write the script to find out if these people have vulnerable networks, you surely can write something to do whois queries. I cant stand when people bitch about something, but do nothing about it. Posting this on nanog is going to do little.. we can "ass-u-me" that most people on here are quarter-clued-enough to no ip directed already. Dalvenjah FoxFire wrote:
Hi folks,
Then I found this list, full of 175 different networks. Nearly all the ones I tried work, and the ones that didn't work didn't respond on other IPs either, so I'm assuming unreachability. This is a fresh list from an active smurfer, however, so it does work. (Boy, does it work. }:P )
-- jamie rishaw (dal/efnet:gavroche) American Information Systems, Inc. rdm: "Religion is obsolete." gsr: "By what?" jgr: "Solaris." (1996) Tel:312.425.7140, FAX:312.425.7240
On Fri, 29 May 1998, James Rishaw wrote:
If you took the time to write the script to find out if these people have vulnerable networks, you surely can write something to do whois queries. I cant stand when people bitch about something, but do nothing about it. Posting this on nanog is going to do little.. we can "ass-u-me" that most people on here are quarter-clued-enough to no ip directed already. Dalvenjah FoxFire wrote:
Hi folks, Then I found this list, full of 175 different networks. Nearly all the ones I tried work, and the ones that didn't work didn't respond on other IPs either, so I'm assuming unreachability. This is a fresh list from an active smurfer, however, so it does work. (Boy, does it work. }:P )
Actually I thought it was nice that someone took the time to pass on what he had learned about this ongoing problem, especially after having invested his time and effort. I didn't take this as bitching in the least. Also, I am not so arrogant as to think that all of my customers have every single router configured correctly... you can bet I checked the list for all of our blocks. Bil Herd
participants (7)
-
Bil Herd -
Brian Horvitz -
Dalvenjah FoxFire -
horke@mail.regio.net -
jamie@dilbert.ais.net -
Jan Czmok -
Stephen Balbach