[16580] in North American Network Operators' Group
Re: Another major smurf run
daemon@ATHENA.MIT.EDU (Jonathan Lusky)
Wed May 6 13:50:05 1998
From: Jonathan Lusky <lusky2@earth.voyageronline.net>
In-Reply-To: <199805060236.LAA09039@teckla.apnic.net> from "David R. Conrad" at "May 6, 98 10:58:14 am"
To: davidc@apnic.net (David R. Conrad)
Date: Wed, 6 May 1998 11:17:44 -0400 (EDT)
Cc: nanog@merit.edu
David,
Sorry for the flood of email. I attempted to write a script to
parse cisco syslogs of a smurf attack and automatically mail contacts
listed in rwhois--looks like it doesn't work so well, particularly
in the case of APNIC and RIPE blocks. I will stop using it.
If anyone has something that works better, I'd love to get a copy.
David R. Conrad writes:
> Due to the unfortunate inability for some ISPs to read statements like:
>
> *** please refer to whois.apnic.net for more information ***
> *** before contacting APNIC ***
>
> I have been receiving quite a few demands to fix "my" smurf amplifying
> networks (in particular, one Jon Lusky <lusky@earth.voyageronline.net> has
> been daily sending me a note containing the entirety of Craig's document
> for each of the APNIC delegated networks that shows up in your list. There
> are (sadly, far too many) others, but usually when I send back the canned
> "APNIC is a registry, check here for more information" message, they get
> the hint. Mr. Lusky is apparently "special").
>
> Would it be possible to hit APNIC's whois server for addresses in the APNIC
> blocks (202/7, 210/7, 61/8) before installing them in your web page?
>
> Thanks,
> -drc
--
Jonathan R. Lusky | Voyager Online, LLC
Director of Network Operations | (423) 209-2929
lusky@voyageronline.net | Unlimited PPP $19.95/mo
http://www.hotrod.com | http://www.voyageronline.net
