[31515] in North American Network Operators' Group
Re: netscan.org update
daemon@ATHENA.MIT.EDU (Simon Lyall)
Tue Sep 26 17:29:14 2000
Date: Wed, 27 Sep 2000 09:24:12 +1200 (NZST)
From: Simon Lyall <simon.lyall@ihug.co.nz>
To: nanog@merit.edu
In-Reply-To: <20000926115343.S32511@haybaler.sackheads.org>
Message-ID: <Pine.LNX.4.02.10009270908001.17835-100000@firewater.ihug.co.nz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 26 Sep 2000, John Payne wrote:
> I'm not saying that having a list is a bad idea. But it should be a list
> of amps that have been found using logs from attacks, not by going out
> and scanning for them
The problem with reasonable sized smurfs is that you can't just casually
log them and trace back. If I want to go after open mail relays I can just
look at the headers of spam I personally get and trace these back to the
providers.
Logging 10-100 Mb/s smurfs (which we see several per day) on the other
hand is not something you can just do and trace back. That level of
traffic tends to melt whatever you try to log it with unless you throw a
bit of time and hardware into preparing to log it.
Of course when it's 50 machines scattered across the Internet all spoofing
random source addresses then don't even bother.
--
Simon Lyall. | Newsmaster | Work: simon.lyall@ihug.co.nz
Senior Network/System Admin | | Home: simon@darkmere.gen.nz
ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz
