[31470] in North American Network Operators' Group
Re: netscan.org update
daemon@ATHENA.MIT.EDU (Clayton Fiske)
Sun Sep 24 21:32:25 2000
Date: Sun, 24 Sep 2000 18:29:02 -0700
From: Clayton Fiske <clay@bloomcounty.org>
To: nanog@merit.edu
Message-ID: <20000924182902.B752@bloomcounty.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <Pine.SOL.3.96.1000924135820.6250D-100000@secure>; from woody@zocalo.net on Sun, Sep 24, 2000 at 02:01:32PM -0700
Errors-To: owner-nanog-outgoing@merit.edu
On Sun, Sep 24, 2000 at 02:01:32PM -0700, Bill Woodcock wrote:
>
> It's sounding like what we're working our way around to is that two
> separate BGP feeds would be needed:
>
> 1) One with an announcement of all of the /32s which are broadcast
> addresses of amplifier networks, so that operators can route traffic
> _destined_ for those /32s to Null0.
This may curtail some smurf activity and, with logging, could allow
tracking down of the attack source in a (more) timely manner. It would
be much easier to catch someone if your monitoring system told you about
the attack right when it started, rather than getting a phone call 30-60
minutes later from someone who's managed to get xx other providers to
cooperate and trace the source to your network.
However, this does nothing to encourage anyone to fix their network. Who's
going to notice that directed broadcasts -aren't- reaching them via your
network?
> 2) Another with an announcement of all of the whole blocks of amplifier
> addresses, so that operators who choose to can create policy-routes which
> specify that traffic _originating_ from those addresses (and which are
> _also_ ICMP echo-replies, perhaps) gets policy routed to Null0.
This sounds a lot more like it would accomplish something the way the MAPS
RBL does. If you're listed, your mail server can't communicate with a lot
of networks out there until you fix it. It doesn't just help block spam, it
provides incentive for you to do something about the problem. Same with
listing the entire offending subnet here. Your network doesn't get to
communicate with mine in any way until you fix it.
> I'd guess that feed #1 would be an easy sell, and that many fewer people
> would use feed #2 as well, but both seem like good ideas.
Agreed. Then again, maybe those bothered enough by smurf attacks would en
masse form an effective percentage by going with #2.
-c
