I opened a trouble ticket with a major ISP in the USA about a Smurf originating at one of their customer nets targeted at me. I gave them the URL about Smurfing just in case they never heard about it. This is the email I got after 8 hours from their NOC:
***Note #1 03-20-1998 08:51:05 GMT Author: arsmith
More info. requested
Please send any samples along with the following info ASAP... 1. Is it presently still going on ? 2. Was your site used as a launching point for attacks on other entities ?
How does one send "samples" of a Smurf (I gave them the originating IPs, destination IP, time, frequency, pkt size, etc.)? If this is how major ISPs handle Smurf storms, we can expect much more congestion. It is as if the ISP NOCs assume Smurf is Spam! -Hank
What he means is that you should probably include Smurfette as a sample. Alex Sprintlink Network Operations (ebo ebpxryy qvq vg. v'z frevbhf!) On Sat, 21 Mar 1998, Hank Nussbacher wrote:
I opened a trouble ticket with a major ISP in the USA about a Smurf originating at one of their customer nets targeted at me. I gave them the URL about Smurfing just in case they never heard about it.
This is the email I got after 8 hours from their NOC:
***Note #1 03-20-1998 08:51:05 GMT Author: arsmith
More info. requested
Please send any samples along with the following info ASAP... 1. Is it presently still going on ? 2. Was your site used as a launching point for attacks on other entities ?
How does one send "samples" of a Smurf (I gave them the originating IPs, destination IP, time, frequency, pkt size, etc.)? If this is how major ISPs handle Smurf storms, we can expect much more congestion. It is as if the ISP NOCs assume Smurf is Spam!
-Hank
How does one send "samples" of a Smurf
When BBN's NOC handed one to our NOC yesterday, or was it the day before, they sent a cut and paste of o configuring their edge cisco to detect and log o the log which both documented the problem and, if our NOC did not have smurf clue, gave a clue on how to track. [ aside: it was tracked to the perp and stomped ] randy
Hi I'm looking to put together a page with every NSP's networking utilites. I have seen several traceroute, ping, BGP utility url posted here. Can anyone repost or point me to a listing of those? thanks christopher | || ||| || r a z o r f i s h , inc. christopher neitzert [ information services manager ] >> 212.966.5960
I'm looking to put together a page with every NSP's networking utilites. I have seen several traceroute, ping, BGP utility url posted here. Can anyone repost or point me to a listing of those?
Last weekend we had one host on our network as the target of a smurf attack. When I reported it to both our upstreams (UUNet and Time Warner who reported it to MCI), we got two stories. MCI, whom I'm not even a direct customer of started tracking the attack as soon as they were informed. UUNet took an hour to get a security person on the phone who then told me that there was nothing they could do, period. My question is this: When will UUNet have security types on duty 7 days a week, and will said people be clueful enough to track this sort of thing down? I told the people at UUNet that we were under smurf attack, and then I had to go through a 10 minute explanation of what a smurf attack was and what it was doing. I would expect a worldwide NSP to keep up with things like this, especially when a regional like myself can. I had logged all ICMP traffic coming into our network via an access list, and could give them all the information they needed to get to the offending networks, so it's not like they had such a hard job ahead of them. Joe Shaw - jshaw@insync.net NetAdmin - Insync Internet Services On Sat, 21 Mar 1998, Randy Bush wrote:
How does one send "samples" of a Smurf
When BBN's NOC handed one to our NOC yesterday, or was it the day before, they sent a cut and paste of o configuring their edge cisco to detect and log o the log which both documented the problem and, if our NOC did not have smurf clue, gave a clue on how to track.
[ aside: it was tracked to the perp and stomped ]
randy
On Sun, 22 Mar 1998, Joe Shaw wrote:
informed. UUNet took an hour to get a security person on the phone who then told me that there was nothing they could do, period.
If you call UUNet after hours, they have to page someone from security. Depending on which grunt answers the phone, you may have to remind them several times that you're experiencing a Dennial of Service ATTACK, and that they NEED to page the on-call security person. Some of their first level people are good, but some seem like they were just pulled in off the street and handed a phone.
down? I told the people at UUNet that we were under smurf attack, and then I had to go through a 10 minute explanation of what a smurf attack was and what it was doing. I would expect a worldwide NSP to keep up with
It's even funnier when you explain to the first level person that a host on your network is being smurfed, and they act as if they know exactly what you're talking about. Then they ask "Can you give me the address the attack is coming from?" Then they admit they have no idea what smurf is. Lately, UUNet's been very slow to track smurf attacks, claiming they can't use DoStracker because it "does bad things to [their] routers". Having never used it myself, I have no idea if this is true or just a line. The best you can hope for is to get a security person on the phone and have them put in a temporary filter. ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/message. Florida Digital Turnpike | ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
UUnet and Alternet seem to carry a large amount of the smurf traffic as it migrates down the line, it would seem the responsible thing to do is have network security to track and log and trace source locations on its out of country backbones where these attacks stem from....need I get more clueful? Henry R. Linneweh Joe Shaw wrote:
Last weekend we had one host on our network as the target of a smurf attack. When I reported it to both our upstreams (UUNet and Time Warner who reported it to MCI), we got two stories. MCI, whom I'm not even a direct customer of started tracking the attack as soon as they were informed. UUNet took an hour to get a security person on the phone who then told me that there was nothing they could do, period.
My question is this: When will UUNet have security types on duty 7 days a week, and will said people be clueful enough to track this sort of thing down? I told the people at UUNet that we were under smurf attack, and then I had to go through a 10 minute explanation of what a smurf attack was and what it was doing. I would expect a worldwide NSP to keep up with things like this, especially when a regional like myself can.
I had logged all ICMP traffic coming into our network via an access list, and could give them all the information they needed to get to the offending networks, so it's not like they had such a hard job ahead of them.
Joe Shaw - jshaw@insync.net NetAdmin - Insync Internet Services
On Sat, 21 Mar 1998, Randy Bush wrote:
How does one send "samples" of a Smurf
When BBN's NOC handed one to our NOC yesterday, or was it the day before, they sent a cut and paste of o configuring their edge cisco to detect and log o the log which both documented the problem and, if our NOC did not have smurf clue, gave a clue on how to track.
[ aside: it was tracked to the perp and stomped ]
randy
-- ¢4i1å
participants (8)
-
Christopher Neitzert
-
Fancy Feast
-
Hank Nussbacher
-
Henry Linneweh
-
Joe Shaw
-
Jon Lewis
-
Randy Bush
-
Randy Bush