Hi Folks, If you're monitoring my page on this, you want to take a look in another 10-15 minutes. We were just hit by another major smurf attack, and I captured over a dozen new prefixes (which got added to our "bite me" list). http://www.mcs.net/smurf (update in process right now; give it 10-15 minutes) -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost
Isn't there a dedicated list for this yet? Having been bludgeoned into near-coma by the last month's deluge of smurf-related stuff - some technically ridiculous, some only bureaucratically tedious - I don't feel moved to track the "bite-me" list in real-time (15 minutes *ahead* of real-time, in fact, mirabile dictu). In the spirit of some recently offered theories, I believe smurfing is really a cleverly disguised DOS attack, aimed not at the ostensible victims, rather against the readership of NANOG. Once we're lulled into a torpor by the smurf postings, our disks will fill to an un-fsckable jumble, 15 full minutes ahead of real-time. Take it out in the hall, will ya? --Tom ==== Tom Walton Director of Strategic Consulting Dimension Enterprises, Inc twalton@dimension.net -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Karl Denninger Sent: Tuesday, May 05, 1998 7:13 PM To: nanog@merit.edu Subject: Another major smurf run Hi Folks, If you're monitoring my page on this, you want to take a look in another 10-15 minutes. We were just hit by another major smurf attack, and I captured over a dozen new prefixes (which got added to our "bite me" list). http://www.mcs.net/smurf (update in process right now; give it 10-15 minutes) -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost
Karl, While I applaud your efforts, think it is the right the to do (given a lack of action on the part of ISPs responsible and the damage smurf attacks can cause), I have one (hopefully minor) request: Due to the unfortunate inability for some ISPs to read statements like: *** please refer to whois.apnic.net for more information *** *** before contacting APNIC *** I have been receiving quite a few demands to fix "my" smurf amplifying networks (in particular, one Jon Lusky <lusky@earth.voyageronline.net> has been daily sending me a note containing the entirety of Craig's document for each of the APNIC delegated networks that shows up in your list. There are (sadly, far too many) others, but usually when I send back the canned "APNIC is a registry, check here for more information" message, they get the hint. Mr. Lusky is apparently "special"). Would it be possible to hit APNIC's whois server for addresses in the APNIC blocks (202/7, 210/7, 61/8) before installing them in your web page? Thanks, -drc At 06:13 PM 5/5/98 -0500, Karl Denninger wrote:
Hi Folks,
If you're monitoring my page on this, you want to take a look in another 10-15 minutes.
We were just hit by another major smurf attack, and I captured over a dozen new prefixes (which got added to our "bite me" list).
http://www.mcs.net/smurf (update in process right now; give it 10-15 minutes)
-- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost
David, Sorry for the flood of email. I attempted to write a script to parse cisco syslogs of a smurf attack and automatically mail contacts listed in rwhois--looks like it doesn't work so well, particularly in the case of APNIC and RIPE blocks. I will stop using it. If anyone has something that works better, I'd love to get a copy. David R. Conrad writes:
Due to the unfortunate inability for some ISPs to read statements like:
*** please refer to whois.apnic.net for more information *** *** before contacting APNIC ***
I have been receiving quite a few demands to fix "my" smurf amplifying networks (in particular, one Jon Lusky <lusky@earth.voyageronline.net> has been daily sending me a note containing the entirety of Craig's document for each of the APNIC delegated networks that shows up in your list. There are (sadly, far too many) others, but usually when I send back the canned "APNIC is a registry, check here for more information" message, they get the hint. Mr. Lusky is apparently "special").
Would it be possible to hit APNIC's whois server for addresses in the APNIC blocks (202/7, 210/7, 61/8) before installing them in your web page?
Thanks, -drc
-- Jonathan R. Lusky | Voyager Online, LLC Director of Network Operations | (423) 209-2929 lusky@voyageronline.net | Unlimited PPP $19.95/mo http://www.hotrod.com | http://www.voyageronline.net
participants (4)
-
David R. Conrad
-
Jonathan Lusky
-
Karl Denninger
-
Tom Walton