[16318] in North American Network Operators' Group
Re: SMURF amplifier block list
daemon@ATHENA.MIT.EDU (Pete Ashdown)
Mon Apr 20 12:12:16 1998
From: Pete Ashdown <pashdown@xmission.com>
To: jlixfeld@idirect.ca
Date: Mon, 20 Apr 1998 09:53:34 -0600 (MDT)
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.3.96.980419185144.32295B-100000@industry.idirect.com> from "jlixfeld@idirect.ca" at Apr 19, 98 06:56:26 pm
jlixfeld@idirect.ca said once upon a time:
>
>You could always "deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm log" on
>your cores. Deny ICMP from critical portions of your network. Create a
>little script which tail -fs the log, parses it, sorts it and counts it.
>If the script counts more then xxx hits on a certain IP or a certain
>number of IPs on your network from the same source or a multiple sources
>on the same network, you have your upstream. Once you have them, you can
>call them and ask them to do the same until you find the real source.
You might want to stick in an "echo-reply" before the log. This will
specifically block the smurf, but won't affect any of the other ICMP which
does have a useful purpose. This of course will stop any of the blocked
addresses from doing outside pings or traceroutes as well.
