SMURF AMPLIFIER BLOCK LIST -- VERY LARGE!!!!!!!!!!!!!!!

Tim_Salo · May 1, 1998, 4:47pm

Date: Thu, 30 Apr 1998 22:31:28 -0500 (CDT)
From: tim@alpha.net
Subject: Re: SMURF AMPLIFIER BLOCK LIST -- VERY LARGE!!!!!!!!!!!!!!!
To: nanog@merit.edu

It'd be nice if there were a more organized effort to collect these
addresses, but for the time being, here's my list. I've actually got
a bunch more, but these are hand-picked for having a large
amplification factor and also for not appearing on the mcs.net page.

  194.47.135
  194.47.136
  164.156.26
  204.30.35
  204.199.101

It would be interesting to see if the use of these networks as smurf
aplifiers increases once they are published on nanog.

(Are we doing all the hard work for the smurfers, namely creating a
consolidated list of all of the known smurf amplifiers?)

-tjs

Karl_Denninger1 · May 1, 1998, 5:18pm

It doesn't do 'em a damn bit of good if we all also block 'em at our
entrances.

John_Golovich · May 1, 1998, 1:55pm

Here is an overview of my situation and I felt that someone here may
be able to help out. I work for an ISP and also run a cottagenet.
One of the cottagenets in the area was interested in running
a t-1to my location.

We would then act as a peering of sorts. I could send traffic
through him while he sends through me. We are both on different
backbones so I felt it could be beneficial.

I know BGP would have to be run, but I am curious what other sort of
thing I will have to read up on before this is possible.

Jared_Mauch · May 1, 1998, 5:28pm

It would be interesting to see if the use of these networks as smurf
aplifiers increases once they are published on nanog.

I agree. It would be interesting to see.

(Are we doing all the hard work for the smurfers, namely creating a
consolidated list of all of the known smurf amplifiers?)

It actually increases the likeleyhood that they will get
filtered, noticed, and fixed by the owner of the ip space. If
a few of us filter them, and they start to get used as amplifiers,
they will start to notice a bit more (hopefully) that their
connectivity is starting to suck, by sending out all these icmp
replies, and track it down.

- Jared

Dirk_Harms-Merbitz2 · May 1, 1998, 5:41pm

> (Are we doing all the hard work for the smurfers, namely creating a
> consolidated list of all of the known smurf amplifiers?)

Of course. But that's the fastest way to bring this to an end.

Dirk

Glen_Turner3 · May 4, 1998, 12:38am

Tim Salo wrote:

It would be interesting to see if the use of these
networks as smurf aplifiers increases once they are
published on nanog.

Yes they do -- we had one , customer flinders.edu.au, on
Karl's list and our logs show significantly more activity
for that client than other sites that were not protected but
not on Karl's list.

Personally, though, I'm growing less and less fond of Karl's
list. The procedures on his web page don't work for people
outside the US (Karl's NOC is not 24hr) and direct e-mail
doesn't seem to work either.

It's annoying to have fixed a problem promptly but still be
getting bad press about it.

Cheers,
glen

Karl_Denninger1 · May 4, 1998, 2:06pm

Let's see...

There are eight hours during which the NOC is not directly open.

So you're saying that you're open (and able to call us) for less than 8 hours?

And I see that you also don't identify the network involved above.

Oh well. Guess there's nothing we can do if you won't tell us what's going
on.