If you're monitoring my page on this, you want to take a look in another
We were just hit by another major smurf attack, and I captured over a dozen
new prefixes (which got added to our "bite me" list).
http://www.mcs.net/smurf (update in process right now; give it 10-15
Isn't there a dedicated list for this yet?
Having been bludgeoned into near-coma by the last month's deluge of
smurf-related stuff - some technically ridiculous, some only
bureaucratically tedious - I don't feel moved to track the "bite-me" list in
real-time (15 minutes *ahead* of real-time, in fact, mirabile dictu).
In the spirit of some recently offered theories, I believe smurfing is
really a cleverly disguised DOS attack, aimed not at the ostensible victims,
rather against the readership of NANOG. Once we're lulled into a torpor by
the smurf postings, our disks will fill to an un-fsckable jumble, 15 full
minutes ahead of real-time.
Take it out in the hall, will ya?
While I applaud your efforts, think it is the right the to do (given a lack
of action on the part of ISPs responsible and the damage smurf attacks can
cause), I have one (hopefully minor) request:
Due to the unfortunate inability for some ISPs to read statements like:
*** please refer to whois.apnic.net for more information ***
*** before contacting APNIC ***
I have been receiving quite a few demands to fix "my" smurf amplifying
networks (in particular, one Jon Lusky <email@example.com> has
been daily sending me a note containing the entirety of Craig's document
for each of the APNIC delegated networks that shows up in your list. There
are (sadly, far too many) others, but usually when I send back the canned
"APNIC is a registry, check here for more information" message, they get
the hint. Mr. Lusky is apparently "special").
Would it be possible to hit APNIC's whois server for addresses in the APNIC
blocks (202/7, 210/7, 61/8) before installing them in your web page?