North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SMURF amplifier block list

  • From: Alex P. Rudnev
  • Date: Mon Apr 20 07:54:29 1998

> >measurement.
> 
> Oops. I misunderstood this first time round.  I don't think you can easily
> detect smurf initiations, because you have to guess at the broadcast
> address.
It's not difficult to detect SMURF initiators belongs to your own 
customers. For us, it's easy because we have IP accounting at the core 
routers and have some anti-smurf monitoring; 

If you saw ICMP-request packets with the DST address looks as broadcast, 
it's the bell for your noc _let's check where are this packets 
originated_  - and this trace you to the SMURFer at 90% of the cases.

And this 0.0.0.255 255.255.255.0 address/wildcard_bits assumption makes a 
great approximation for the broadcast addresses.



> 
> I think it is much easier to detect and block forged source addresses,
> which are also necessary for the hacker who is operating out of your
> network.
> 
> 		--Dean
> 
> 
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>            Plain Aviation, Inc                  dean@av8.com
>            LAN/WAN/UNIX/NT/TCPIP/DCE      http://www.av8.com
>            We Make IT Fly!                (617)242-3091 x246
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> 
> 

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)