[16389] in North American Network Operators' Group
Re: SMURF amplifier block list
daemon@ATHENA.MIT.EDU (Jason Lixfeld)
Fri Apr 24 12:08:46 1998
Date: Thu, 23 Apr 1998 22:45:41 -0400 (EDT)
From: Jason Lixfeld <jlixfeld@idirect.ca>
To: Pete Ashdown <pashdown@xmission.com>
cc: nanog@merit.edu
In-Reply-To: <199804201553.JAA21164@slack.xmission.com>
What's the difference? If you do echo-reply, whoever initiated the ping
will never see a response because it is filtered by the echo-reply in the
first place. Or am I missing something with the echo-reply?! (it's late,
forgive my ignorance) =)
On Mon, 20 Apr 1998, Pete Ashdown wrote:
:jlixfeld@idirect.ca said once upon a time:
:>
:>You could always "deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm log" on
:>your cores. Deny ICMP from critical portions of your network. Create a
:>little script which tail -fs the log, parses it, sorts it and counts it.
:>If the script counts more then xxx hits on a certain IP or a certain
:>number of IPs on your network from the same source or a multiple sources
:>on the same network, you have your upstream. Once you have them, you can
:>call them and ask them to do the same until you find the real source.
:
:You might want to stick in an "echo-reply" before the log. This will
:specifically block the smurf, but won't affect any of the other ICMP which
:does have a useful purpose. This of course will stop any of the blocked
:addresses from doing outside pings or traceroutes as well.
:
--
Regards,
Jason A. Lixfeld jlixfeld@idirect.ca
iDirect Network Operations jlixfeld@torontointernetxchange.net
---------------------------------------------------------------------
TUCOWS Interactive Ltd. o/a | "A Different Kind of Internet Company"
Internet Direct Canada Inc. | "FREE BANDWIDTH for Toronto Area IAPs"
5415 Dundas Street West | http://www.torontointernetxchange.net
Suite 301, Toronto Ontario | (416) 236-5806 (T)
M9B-1B5 CANADA | (416) 236-5804 (F)
---------------------------------------------------------------------
