North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: netscan.org update

  • From: John Fraizer
  • Date: Tue Sep 26 01:16:22 2000

On Mon, 25 Sep 2000, John Payne wrote:

> 
> On Sat, Sep 23, 2000 at 08:19:58PM -0700, Troy Davis wrote:
> > Netscan.org hasn't created a BGP blackhole announcement out of lack of
> > time and because, at least while some significant sites are on it, we
> > doubt many people would use it.  Interestingly, looking at the top
> > smurf-announcing ASNs, an average American backbone could block easily 
> > half of them and barely notice.
> 
> I've been very quiet on the scanning for smurf amps thing... which is
> contrary to my nature :-)
> 
> However, I would really not like to see a BGP based listing of smurf
> amps based on results from scanning.
> 
> E-mailing network operators who have smurf amps that happen to not have been
> abused (maybe its a /30 with little bandwidth) smacks of UBE to me... and
> you shouldn't be listing without notification...
> 
> 
> -- 
> John Payne      http://www.sackheads.org/jpayne/    john@sackheads.org
> http://www.sackheads.org/uce/                    Fax: +44 870 0547954
>         To send me mail, use the address in the From: header
> 


John,

The problem is that while some operators may not have been aware of their
problem, if they are not aware of the problem at-large, they are, IMHO,
not worthy of announcing to the global internet at large and as such,
we should not be listening to their announcements.

If, once they figure out they're being filtered, they decide to take care
of their problems, they will be removed from the BGP feed.

The SMURF problem is years old.  People who don't look for this on their
own networks and prevent it before it starts are AS MUCH if not MORE a
part of the problem as the script kiddies.


So, to sum it up, I disagree.  To back this up, if you find a SMURF
amplifier on my network, please feel free to add

ip as-path access-list WHATEVER deny 13944

to your filters.

We check our network constantly and have NEVER been the originator of, or
a transit AS for a SMURF attack of _ANY) size.

---
John Fraizer
EnterZone, Inc