Home page logo

nanog logo nanog mailing list archives

Re: SMURF amplifier block list
From: "Alex P. Rudnev" <alex () Relcom EU net>
Date: Mon, 20 Apr 1998 15:29:07 +0400 (MSD)


Oops. I misunderstood this first time round.  I don't think you can easily
detect smurf initiations, because you have to guess at the broadcast
It's not difficult to detect SMURF initiators belongs to your own 
customers. For us, it's easy because we have IP accounting at the core 
routers and have some anti-smurf monitoring; 

If you saw ICMP-request packets with the DST address looks as broadcast, 
it's the bell for your noc _let's check where are this packets 
originated_  - and this trace you to the SMURFer at 90% of the cases.

And this address/wildcard_bits assumption makes a 
great approximation for the broadcast addresses.

I think it is much easier to detect and block forged source addresses,
which are also necessary for the hacker who is operating out of your


           Plain Aviation, Inc                  dean () av8 com
           LAN/WAN/UNIX/NT/TCPIP/DCE      http://www.av8.com
           We Make IT Fly!                (617)242-3091 x246

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]