[16320] in North American Network Operators' Group
Spoofed Packet Tracker (Was Re: SMURF amplifier block list)
daemon@ATHENA.MIT.EDU (Jared Mauch)
Mon Apr 20 12:24:11 1998
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <Pine.LNX.3.96.980419184754.32275D-100000@industry.idirect.com> from "jlixfeld@idirect.ca" at "Apr 19, 98 06:48:32 pm"
To: jlixfeld@idirect.ca
Date: Mon, 20 Apr 1998 12:15:22 -0400 (EDT)
Cc: alex@Relcom.EU.net, dboehlke@MR.Net, dean@av8.com, nanog@merit.edu
MCI has a tool to track spoofed packets, which is the orgin of
any DoS today.
You can get it from ftp.mci.net:/pub/security/dostrack742812.tar
That will trace it to the edge of your network, then you need to
work with the other providers to track it past that point.
If it's within your network, you should filter it either by
using ip verify unicast reverse-path on the serial interfaces or
via acls.
ip verify unicast reverse-path is a feature in the fib images
by cisco. Most large nsp's run these images, and they're now mainline,
so fire up your cco accounts and grab them.
It drops packets that don't have the same return path, which works
for most customers that are single homed.
- Jared
On a dark and stormy night, jlixfeld@idirect.ca said:
> Cisco has a method of tracing SMuRF, do they not? Anyone know how they do
> it?! Is it some imbedded thing, or do they call the owners of each
> network and pray that they have Ciscos?
