Smurf attack in progress - FIX YOUR RELAYS NOW
Hi folks, Since Sunday, I've e-mailed, telephoned, and contacted the folks responsible for the networks involved in the current smurf against my network. Since then, a grand total of four (count 'em, *four*) have responded and shut off broadcasts. Here are the networks that have ignored me so far. If you are a contact for them, if you know the contact for them, peer with them, talk to them on the golf course, whatever - get them out of bed, wake them up, and get them to fix their routers *NOW*. If you are their uplink, block their traffic or otherwise disconnect them until they fix their routers. This is ridiculous, folks. I'm seeing networks that are customers of UUnet, Sprint, MCI/C&W, Telia, all the big ISPs that are STILL smurf amplifiers two years after we knew about the attack and how to fix it. Note, I am sending this to nanog because none of these people have responded or fixed their networks for *TWO DAYS* now. How do you configure your router for this? Insert an ACL to deny connectivity to these people until they fix their routers to not relay. If you do happen to fix one of these networks, or if perhaps you can backtrace the smurf destined for 209.133.28.69, please e-mail me back or telephone me; my phone# is in whois. -dalvenjah #0 - Probable Smurf attack detected from 206.173.226.0/24 (1028 bytes) Concentric Research Corp. (NETBLK-CONCENTRIC-BLK) 10590 N. Tantau Ave. Cupertino, CA 95014 Concentric Networks. #1 - Probable Smurf attack detected from 198.145.32.0/24 (1028 bytes) Extensis Corporation (NETBLK-AUSNET-US-EXTEN) 55 SW Yamhill, Floor 4 Portland, OR 97204 USA C&W/World.net customer #2 - Probable Smurf attack detected from 206.136.9.0/24 (1028 bytes) Primary Access Corporation (NET-PRIACC2) 12230 World Trade Drive San Deigo, CA 92128-3765 US UUnet customer #3 - Probable Smurf attack detected from 194.16.2.0/24 (1028 bytes) inetnum: 194.16.2.0 - 194.16.2.255 netname: NETCH descr: Netch Technologies AB country: SE admin-c: HD26-RIPE tech-c: SN38-RIPE Telia customer #4 - Probable Smurf attack detected from 143.224.103.0/16 (1028 bytes) Joanneum Research (NET-JR-NETWORK) A-8010 Graz Steyrergasse 17 AUSTRIA AGIS/Loralorion.net customer. #5 - Probable Smurf attack detected from 204.151.131.0/24 (1028 bytes) ANS CO+RE Systems, Inc. (NETBLK-ANS-C-BLOCK3) 100 Clearbrook Road Elmsford, NY 10523 ANS/BCtel/AGT.net customer #6 - Probable Smurf attack detected from 195.67.69.0/24 (1028 bytes) inetnum: 195.67.69.0 - 195.67.69.31 netname: PROFFICE descr: Proffice Ab country: SE admin-c: MH1035-RIPE tech-c: MH1035-RIPE Telia customer #7 - Probable Smurf attack detected from 199.185.220.0/24 (1028 bytes) ED TEL (NETBLK-EDTEL-PLANET) Edmonton, AB; T5J 2R4 CA BCtel/AGT.net customer -- Dalvenjah FoxFire (aka Sven Nielsen) "Life is anything that dies when Founder, the DALnet IRC Network you stomp on it." -Dave Barry e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
Hi folks,
Here are the networks that have ignored me so far. If you are a contact for them, if you know the contact for them, peer with them, talk to them on the golf course, whatever - get them out of bed, wake them up, and get them to fix their routers *NOW*. If you are their uplink, block their traffic or otherwise disconnect them until they fix their routers.
-dalvenjah
#0 - Probable Smurf attack detected from 206.173.226.0/24 (1028 bytes) Concentric Research Corp. (NETBLK-CONCENTRIC-BLK) 10590 N. Tantau Ave. Cupertino, CA 95014 Concentric Networks.
Whups. That's a corporate block for desktops that will be going away within the week as HQ moves to san jose. I'll bug the folks responsible for it. :( My apologies for the trouble it may have caused! Matt Petach
participants (2)
-
Dalvenjah FoxFire
-
Matthew Petach