Home page logo
/

nanog logo nanog mailing list archives

Re: SMURF amplifier block list
From: Karl Denninger <karl () mcs net>
Date: Sun, 12 Apr 1998 00:15:26 -0500

On Sat, Apr 11, 1998 at 02:31:22PM -0700, Sean M. Doran wrote:
| Posting it here weekly only provides a mechanism for the littele fsckers
| that smurf to gain an up to date list of sites to bounce from.

And consequently increases the liklihood that more networks
will refuse traffic to or from these networks, which in turn
increases the pressure on these sites to wonder what is happening
to their connectivity and how to repair it.   Which may just solve
the problem.

This is a monumental admission: I think Karl is doing the right thing.

      Sean.

Correct.

Note that the way you GET ON THIS LIST is to have BEEN a smurf amplifier.

That is, not a "suspected" one, not one we probed, but a PROVEN source of a
smurf amplification.

And guess how I know that?  I'll tell you - one or more of our customer or
internal machines was rendered useless until I identified and blocked EACH
of the networks on the list.

That is, all of these are PROVEN guilty, not suspected guilty.  This also
means that any claim that I'm "helping the bad guys" is baloney - the bad 
guys, by definition, ALREADY USED THESE NETWORKS to hit us or one of our
customers - that's how they got on the list in the first place!

The only effective means I have to stop this is to start refusing transit
to packets with a source address in the amplifier network(s).  Our core
circuits can handle even a dedicated smurfer - there are few who can hit us
with enough punch to melt our core circuits (multiple DS3s are like that).  
Our customers, most of whom are on T1s, aren't so lucky - they can be 
rendered disconnected quite easily, as can an internal machine on a 10Mbps 
switched port.  

Blocking these at ingress to our core is enough; not only do we stay 
operational with minimal impact, but the intended target suffers no ill 
effects - and as a consequence, the people doing this move on to more 
"juicy" targets where they can actually cause some damage.

If any significant number of providers start blocking these networks, the
people who own them will have to fix the configuration problems if they 
want to continue to be able to talk to the Internet as a whole.  

THAT is the intent of the blacklisting around here.  Our NOC crew has been
instructed that any complaint from these address ranges is to be referred
directly to me, and that the standard answer is "you're a smurf amplifier
and while Karl will talk to you, if you're calling for any purpose other
than to tell us that you've fixed it you're wasting your dimes".

--
-- 
Karl Denninger (karl () MCS Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/          | T1's from $600 monthly / All Lines K56Flex/DOV
                             | NEW! Corporate ISDN Prices dropped by up to 50%!
Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS
Fax:   [+1 312 803-4929]     | *SPAMBLOCK* Technology now included at no cost


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault