SMURF AMPLIFIER BLOCK LIST -- VERY LARGE!!!!!!!!!!!!!!!

All,

Here is my contribution to the block list. The script that generated
this will follow. It is 'public domain', in that it can be modified,
BUT, please give credit where credit is due!

!!!!!NOTE: This script assumes that the offending bounce sites are /24
blocks. It isn't that smart yet, but if someone can figure out a way to
glean more info, modify the script and repost.

#!/bin/ksh

I'm sorry for the intrusion, I'm not a "North American Network Operator", but
what I'm going to say could (I hope) be relevant to all the Internet community.

....
194.184.1.0
194.184.148.0
194.184.179.0
194.184.204.0
....
195.223.41.0

You'll probably have few luck trying to make even one of routers on these
netowks fixed. It's because these netblocks are allocated to Interbusiness, an
italian NSP who mainly sells connectivity to other ISPs and companies.

They refuse to give access to the routers installed on the customer's side, so,
EVERY network (mostly /24s) in their allocations could be a smurf amplifier if
enought hosts are connected.

Their allocations are:

194.184/16
195.223/16
195.31/16
195.103/16
195.120/16
212.210/16

One could argue that having access to all the routers on the customer's side
could enable them to put a "no ip directed-broadcast" on all their routers (all
ciscos) in a minute, but unfortunatelly interbusiness is well know to have all
role accounts @interbusiness.it redirected to /dev/null.

I'll try to do my best to contact them and make their routers fixed.

Regards.

It'd be nice if there were a more organized effort to collect these
addresses, but for the time being, here's my list. I've actually got
a bunch more, but these are hand-picked for having a large
amplification factor and also for not appearing on the mcs.net page.

  194.47.135
  194.47.136
  164.156.26
  204.30.35
  204.199.101

Here's a small subset of a packet log received from a rather large
attack Friday. The second field is the number of packets received
from the /24s in the time the log spans.

Some of the addresses are interesting; for example, the handful of
10.* blocks; however, I did receive icmp echo_reply traffic from them.

10.0.22 71
10.10.10 6
10.128.176 3
10.128.48 2
10.2.2 9
10.65.33 6
12.10.152 18
33.4.9 3
33.71.9 1
38.1.25 12
38.145.226 4
38.146.104 7
38.146.107 21
38.146.109 12
38.146.180 16
38.179.40 160
38.179.42 164
38.8.127 2
38.8.135 8
38.8.17 5
38.8.199 9
38.8.20 5
38.8.23 10
38.8.25 2
38.8.30 8
38.8.31 7
38.8.32 4
38.8.42 6
38.8.44 7
38.8.46 8
38.8.51 6
38.8.78 7
38.9.100 2
38.9.202 7
38.9.51 5
38.9.79 5
38.9.91 9
128.11.248 5
129.1.5 2
129.1.6 4
129.1.7 5
129.1.8 24
129.1.9 74
129.2.1 45
129.2.100 92
129.2.24 6
129.2.253 3
131.119.28 13
133.164.140 2
136.210.100 18
136.210.101 12
136.210.102 24
136.210.103 6
136.210.104 4
136.210.106 6
136.210.107 1
136.210.108 1
136.210.109 5
136.210.110 3
137.145.112 31
137.39.131 7
137.39.83 2
141.198.64 3
142.23.237 23
142.31.180 19
144.228.124 9
144.228.147 213
144.228.157 13
144.228.17 28
144.228.37 14
144.228.58 9
144.228.77 3
144.232.128 9
144.232.5 2
144.232.8 2
149.168.10 18
151.105.11 185
151.120.107 36
151.120.13 122
151.120.137 45
151.120.149 105
151.120.155 81
151.120.208 6
151.120.255 4
151.120.34 26
151.120.40 69
151.120.45 1
151.120.47 9
151.120.60 12
151.120.68 6
151.120.8 22
151.120.80 38
151.120.88 80
151.120.89 14
151.120.92 54
151.130.144 3
151.130.16 42
151.130.192 3
151.130.24 3
151.130.240 15
151.130.40 15
151.130.48 19
151.130.56 1
151.130.8 11
151.130.80 2
151.130.88 1
151.130.9 2
151.156.30 112
151.195.1 5
151.195.22 5
151.195.26 7
151.195.27 7
151.195.28 24
151.195.32 16
151.208.1 19
151.208.10 141
151.208.23 65
151.208.25 9
151.208.7 47
151.208.9 99
151.214.1 250
151.214.2 39
151.91.1 5
151.91.16 10
151.91.46 3
151.91.47 1
151.91.48 1
151.91.61 3
151.92.1 78
151.92.2 9
151.92.248 61
151.92.249 26
151.92.250 44
151.92.251 33
151.93.106 6
152.34.10 2
152.34.2 8
153.38.149 81
153.38.152 29
153.38.154 42
153.38.156 12
157.130.1 1
157.130.192 14
157.130.224 9
157.130.225 16
157.130.96 9
161.69.63 9
164.105.0 6
164.105.100 1
164.105.101 1
164.105.128 2
164.105.90 2
164.105.91 3
164.105.92 3
164.105.93 1
164.105.98 1
164.116.5 91
164.156.25 280
164.156.26 1361
164.38.0 2
164.38.104 2
164.38.16 38
164.38.17 11
164.38.18 8
164.38.19 27
164.38.32 8
164.77.11 127
165.117.50 1
165.28.1 9
166.48.176 4
166.48.220 7
166.48.241 2
166.48.36 9
166.48.64 3
167.7.15 5
169.130.14 1
170.1.96 5
172.16.21 5
172.16.99 30
172.18.0 31
172.18.10 22
172.18.100 99
172.18.250 20
172.18.251 12
172.18.255 11
172.18.3 6
172.18.4 3
172.18.5 4
172.19.0 5
172.19.10 6
172.19.100 33
172.19.250 6
172.19.251 6
172.19.255 5
172.19.3 22
172.19.4 64
172.19.5 14
172.19.6 35
172.20.10 65
172.20.20 349
172.25.1 10
172.25.2 10
172.25.6 19
172.25.7 16
172.30.1 10
192.107.46 288
192.108.1 8
192.136.16 1
192.149.109 110
192.153.145 7
192.157.69 1
192.158.1 268
192.158.2 258
192.168.255 14
192.168.6 13
192.187.128 40
192.197.173 8
192.197.174 173
192.216.77 2
192.216.78 6
192.55.86 245
192.68.64 20
192.77.171 6
192.86.78 228
193.164.160 124
193.227.29 2
193.227.31 28
193.227.54 9
193.227.55 19
194.143.164 21
194.165.209 11
195.200.12 52
195.89.1 22
195.89.255 6
198.247.230 16
198.32.130 5
198.32.136 118
198.53.214 45
198.53.245 1
198.53.60 16
198.80.69 3
199.166.210 128
199.240.101 242
199.240.102 100
199.240.105 7
199.240.106 7
199.240.111 10
199.240.88 9
199.240.89 1
199.240.91 13
199.240.92 26
199.240.95 10
199.95.228 4
203.146.0 29
203.146.1 1
204.116.46 22
204.140.35 751
204.140.40 25
204.141.16 74
204.141.18 7
204.141.19 18
204.141.22 28
204.160.216 3
204.160.95 5
204.161.112 166
204.161.113 563
204.161.114 27
204.161.117 84
204.161.118 44
204.161.121 157
204.161.125 33
204.161.126 40
204.161.61 395
204.162.80 11
204.162.81 494
204.162.84 18
204.162.86 19
204.165.80 165
204.167.132 5
204.169.58 104
204.169.59 428
204.174.124 147
204.174.127 14
204.174.56 24
204.174.57 42
204.174.58 3
204.174.59 3
204.174.67 2
204.177.145 126
204.179.121 6
204.181.40 54
204.181.41 146
204.181.42 8
204.183.36 11
204.187.84 523
204.189.216 7
204.19.106 9
204.191.124 56
204.199.101 113
204.199.104 312
204.199.105 43
204.199.106 150
204.199.107 174
204.199.111 21
204.213.184 9
204.216.86 1831
204.229.43 1
204.229.44 3
204.247.19 4
204.249.16 195
204.28.16 96
204.28.17 105
204.28.28 3
204.30.35 435
204.33.28 40
204.38.20 405
204.50.128 5
204.50.14 4
204.64.22 104
204.64.23 44
204.65.223 14
204.70.120 7
204.70.162 10
204.70.226 11
204.70.38 4
204.70.43 6
204.72.14 10
204.72.15 11
204.80.117 51
204.96.111 6
204.97.64 143
204.99.23 152
204.99.27 15
205.125.0 10
205.125.55 115
205.147.0 5
205.148.1 324
205.150.206 2
205.152.0 256
205.152.2 16
205.152.3 114
205.158.49 15
205.160.5 45
205.161.128 5
205.161.129 134
205.161.53 39
205.166.62 148
205.178.8 164
205.179.19 23554
205.179.9 4
205.180.85 8
205.184.109 940
205.184.92 19
205.185.133 143
205.187.76 230
205.189.135 4342
205.203.68 15
205.203.70 4
205.203.72 22
205.203.73 5
205.203.74 3
205.203.75 1
205.211.26 209
205.211.42 2
205.211.51 4
205.211.53 67
205.217.247 4
205.218.128 245
205.218.129 287
205.218.18 7758
205.218.30 3
205.219.139 12
205.221.40 374
205.225.26 53
205.225.27 101
205.225.28 59
205.225.30 322
205.226.117 46
205.227.130 45
205.227.131 52
205.230.30 46
205.231.82 416
205.232.11 135
205.232.33 136
205.232.8 161
205.237.48 28
205.244.114 6
205.244.33 39
205.244.34 124
205.246.74 18
205.246.78 120
205.246.79 139
206.1.179 215
206.105.235 104
206.105.236 118
206.105.238 122
206.105.239 88
206.115.150 109
206.13.16 3
206.13.17 5
206.142.240 1
206.142.241 2
206.142.248 5
206.161.74 6
206.166.123 4
206.171.16 4
206.181.100 22
206.181.122 9
206.181.161 30
206.220.140 9
206.220.141 27
206.24.41 12
206.29.86 218
206.29.87 57
206.34.91 19
206.41.10 8
206.81.130 6
206.9.156 10
206.9.158 18
206.98.165 70
207.0.0 197
207.0.17 53
207.0.18 102
207.0.84 11
207.0.88 41
207.0.90 25
207.0.91 29
207.102.100 103
207.102.93 4
207.104.20 53
207.106.33 5
207.106.35 266
207.107.247 7
207.111.23 45
207.112.240 5
207.120.45 23
207.124.104 7
207.13.5 71
207.137.76 10
207.137.77 209
207.152.190 8
207.152.64 381
207.154.12 63
207.154.14 9
207.155.151 45
207.155.64 295
207.159.159 1
207.161.8 102
207.163.159 2
207.163.87 80
207.164.167 89
207.164.49 317
207.165.237 24
207.17.13 75
207.172.67 4
207.174.20 112
207.174.32 1
207.174.33 228
207.174.38 9
207.174.47 80
207.174.57 54
207.176.252 2
207.194.0 17
207.194.8 324
207.196.0 92
207.196.74 10
207.198.129 17
207.201.200 26
207.203.120 55
207.203.121 19
207.203.122 10
207.204.135 179
207.205.1 11
207.205.8 266
207.207.8 3
207.21.176 8
207.21.26 10
207.213.36 220
207.213.41 19
207.213.42 44
207.213.44 20
207.214.49 32
207.216.80 35
207.222.28 25
207.229.86 147
207.230.32 100
207.230.34 8
207.230.35 20
207.230.36 2
207.230.48 10
207.230.49 22
207.230.50 7
207.230.64 17
207.230.75 22
207.230.86 35
207.230.90 12
207.230.95 12
207.231.66 6
207.233.86 42
207.233.87 40
207.233.88 50
207.236.112 30
207.238.129 11
207.238.143 99
207.240.1 4
207.240.103 26
207.240.12 4
207.240.121 23
207.240.127 49
207.240.161 13
207.240.166 8
207.240.167 10
207.240.2 2
207.240.229 15
207.240.230 15
207.25.245 12
207.253.253 106
207.28.162 159
207.28.163 121
207.28.174 88
207.28.175 121
207.31.21 13
207.31.32 16
207.31.58 9
207.32.71 838
207.38.1 7
207.38.3 131
207.38.67 10
207.41.22 290
207.45.207 13
207.45.209 9
207.49.194 10
207.49.195 23
207.49.201 11
207.5.61 227
207.51.37 30
207.51.47 6
207.53.0 22
207.53.1 37
207.53.2 31
207.53.3 29
207.53.4 30
207.53.5 31
207.53.6 26
207.53.7 25
207.59.20 74
207.60.152 49
207.63.129 107
207.63.130 217
207.63.138 390
207.63.139 440
207.67.1 28
207.7.34 1
207.7.37 699
207.73.10 14
207.76.25 236
207.76.26 784
207.76.27 152
207.76.28 210
207.76.29 215
207.78.73 2977
207.79.140 5
207.8.5 8
207.87.20 64
207.87.97 6
207.87.98 44
207.88.160 9
207.88.167 23
207.88.25 19
207.95.103 5
207.97.9 7
207.98.156 311
207.98.159 31
207.99.122 2
207.99.123 81
207.99.47 13
207.99.72 5
208.132.69 7
208.133.50 92
208.133.51 511
208.144.84 5
208.144.90 13
208.147.0 73
208.147.1 161
208.147.4 31
208.149.198 2
208.150.63 9
208.153.0 11
208.153.1 37
208.153.12 7
208.158.112 25
208.158.121 14
208.159.7 38
208.16.33 360
208.160.130 8
208.160.133 4
208.160.135 2
208.161.49 1
208.162.64 5
208.18.85 463
208.22.66 247
208.22.73 5
208.220.70 266
208.222.92 229
208.224.90 90
208.228.231 19
208.24.32 3
208.29.42 4
208.5.61 54
209.100.136 2
209.123.11 13
209.135.249 450
209.144.96 8
209.150.128 353
209.156.2 109
209.156.5 5
209.16.211 4
209.17.150 2
209.174.6 145
209.174.7 130
209.192.11 10
209.196.128 18
209.196.150 13
209.196.153 28
209.2.160 48
209.29.49 3
209.36.210 91
209.44.32 1
209.5.21 102
209.51.161 9
209.56.166 24
209.64.228 5
209.64.250 2
209.64.251 3
209.7.78 27
209.7.79 24
209.72.12 10
209.72.52 113
209.74.134 7
209.74.143 5
209.74.152 6
209.74.155 4
209.74.175 19
209.82.54 912
209.98.16 51
209.98.17 18
209.98.2 15
209.98.20 17
209.98.21 15
209.98.30 15

Here's a small subset of a packet log received from a rather large
attack Friday. The second field is the number of packets received
from the /24s in the time the log spans.

Some of the addresses are interesting; for example, the handful of
10.* blocks; however, I did receive icmp echo_reply traffic from them.

<SNIP>

204.162.80 11

This was behind a 56K frame link, it is now fixed.

204.162.81 494

What the #$%^& is this? This is a class C which is divided into
a /25 and two /26's. One of the /26's was open (not any more). If
the number at the end is the quantity of hosts the program collecting
data needs to be checked. If this number is something else please
specify.

204.162.84 18

One of my compatriots had a /27 which was open. It should be closed
now.

204.162.86 19

Behind a 56K but now fixed.

I have turned off ip directed broadcasts on all links in our network
so the 204.162.80.0/21 netblock should be clean.

Is Karl adding these to his list? If so do we need to go through the
normal contact procedure (call MCS's NOC) to be removed?

bye,
ken emery

Hi folks,

204.183.36 11

is mine and is now fixed. Sorry for the problem. Must have missed this
interface.

Chuck Davisson
Network Engineer
TTSG