Home page logo

nanog logo nanog mailing list archives

Re: SMURF amplifier block list
From: Pete Ashdown <pashdown () xmission com>
Date: Mon, 20 Apr 1998 09:53:34 -0600 (MDT)

jlixfeld () idirect ca said once upon a time:

You could always "deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm log" on
your cores.  Deny ICMP from critical portions of your network.  Create a
little script which tail -fs the log, parses it, sorts it and counts it.
If the script counts more then xxx hits on a certain IP or a certain
number of IPs on your network from the same source or a multiple sources
on the same network, you have your upstream.  Once you have them, you can
call them and ask them to do the same until you find the real source.

You might want to stick in an "echo-reply" before the log.  This will
specifically block the smurf, but won't affect any of the other ICMP which
does have a useful purpose.  This of course will stop any of the blocked
addresses from doing outside pings or traceroutes as well.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]