[16167] in North American Network Operators' Group
Re: SMURF amplifier block list
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Tue Apr 14 06:50:21 1998
Date: Tue, 14 Apr 1998 13:42:57 +0200
To: "Forrest W. Christian" <forrestc@iMach.com>
From: Hank Nussbacher <hank@ibm.net.il>
Cc: Vadim Antonov <avg@pluris.com>, dean@av8.com, jra@scfn.thpl.lib.fl.us,
karl@mcs.net, nanog@merit.edu
At 03:31 AM 4/14/98 -0600, Forrest W. Christian wrote:
>On Tue, 14 Apr 1998, Hank Nussbacher wrote:
>
>> All outgoing pkts to 220.88.192.128/27 now should go to Null0. I am sure
>> one can improve on the logic even more.
>
>Exactly. All OUTGOING packets. Not Incoming. Not the smurf attack
>packets which are swamping your downstream customer, which have a source
>address from 220.88.192.128/27.
My textual mistake - this snippet is to send pkts to dev/null for all pkts
*sourced* from 220.88.192.128/27. -Hank
>
>I will concede that shutting off connectivity to a site by a large enough
>chunk of the net should get someone to fix stuff.... But part of the
>advantage of the MAPS RBL BGP feed is that it helps to cut down spam
>coming into your network. A BGP feed TODAY won't block a ping
>amplification attack aimed at your network or a downstream. All it will
>do is prevent your customers from using the ping amplification networks to
>launch an attack. And, if you have the appropriate anti-spoofing filters
>in place, they shouldn't be able to attack anything other than the valid
>source addresses you have in your outbound filter set.
>
>- Forrest W. Christian (forrestc@imach.com)
>----------------------------------------------------------------------
>iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com
>Solutions for your high-tech problems. (406)-442-6648
>----------------------------------------------------------------------
>
>
>
