|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SMURF amplifier block list
> >measurement. > > Oops. I misunderstood this first time round. I don't think you can easily > detect smurf initiations, because you have to guess at the broadcast > address. It's not difficult to detect SMURF initiators belongs to your own customers. For us, it's easy because we have IP accounting at the core routers and have some anti-smurf monitoring; If you saw ICMP-request packets with the DST address looks as broadcast, it's the bell for your noc _let's check where are this packets originated_ - and this trace you to the SMURFer at 90% of the cases. And this 0.0.0.255 255.255.255.0 address/wildcard_bits assumption makes a great approximation for the broadcast addresses. > > I think it is much easier to detect and block forged source addresses, > which are also necessary for the hacker who is operating out of your > network. > > --Dean > > > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > Plain Aviation, Inc dean@av8.com > LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com > We Make IT Fly! (617)242-3091 x246 > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > > Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
|