News from the Smurf Amplifier Registry
2002-07-08 Wow, it's been a long time. It seems that over the years we have done a nice job of helping to combat DoS problems, however the battle is not yet over. Today we were alerted of a network that was incorrectly listed in the blacklist. This turned out to be due to database corruption in our backend. We would like to thank Nicole Haywood, Network Security Officer, University of Sydney (.au) for persuading us to look into this. Also we sincerely apologize for letting them sit stuck on the blacklist. --firstname.lastname@example.org
1999-03-24: EuroCERT has decided to use the information contained in the SAR database to alert European owners of smurf amplifier networks that have not been fixed. Today, more than 500 EuroCERT case numbers were opened related to European smurf amplifier networks from the SAR. What a great effort!
1999-03-23: More than 10,000 networks have now been fixed after they appeared in the SAR. We congratulate and thank all those involved in helping us out.
1998-10-19: We urge all those of you who are running automatic bulk probes through the regular WWW interface to PLEASE SLOW DOWN THE RATE AT WHICH YOU PROBE. Keep it down to something like one probe per minute per person, please! Overloading our prober does no good to anyone.
1998-08-05: We are looking for voulenteers to (a) write documents to put on this page explaining smurf attacks and how to prevent them, (b) increase awareness about smurf attacks and the SAR in particular, (c) off-load us by writing parts of the system that will automatically nag network owners and providers listed here by email. Get in touch at email@example.com.
Note about the status of this projectThis is not finished. Try it if you want. At this time you can't do anything but probe networks. Specifically I have not yet implemented the automatic whois lookups, automatic email nagging, and incident reporting functions. I will implement the rest of the functionality soon. PLEASE DO READ THE REST OF THE PAGE!
Why the Smurf Amplifier Registry?The SAR is a tool for Internet administrators being attacked by or implicated in smurf attacks, or those who wish to take precautions. During the past couple of months, PowerTech has on numerous occations been hit by smurf attacks. This has forced us to start taking smurfing seriously and to keep a high-profile stand against the people who initiate smurf attacks as well as, unfortunately, those who make them possible.
What does the SAR do for you?The SAR lets you probe Internet connected IP networks to see whether or not they are configured in a way that will allow perpetrators to use them for smurf amplification. Probing can be done interactively or in bulk. In interactive mode the SAR will probe a network, find the number of duplicates returned, and save this information in a database. If, and only if, the probed network returns 1 or more duplicate packets, it is marked as "broken". Upon gaining knowledge of a broken network, the SAR will automatically obtain information about the network and notify the relevant people of this.
Anybody can retrieve a full dump of the SAR in plain text or cisco access-list format at any time. You may use this information to block traffic to or from the listed networks, or to help making the contacts for these networks understand how important it is to make their networks unusable for smurf amplification, since this gains both them and the 'net as a whole. You are at your own discretion in choosing whether to not block any nets but just to use this as a reference, or to block all nets, or to block some of them (for instance based on the amplifying factor of the net).
If you are the owner of a listed network or if you know that a network has been fixed you may probe your network yourself, and if no duplicates are returned (i.e. your network has been fixed), YOUR NETWORK WILL AUTOMATICALLY BE CHECKED OUT OF THE "BROKEN" LIST.
What can you do for the SAR?Use the SAR (http://www.powertech.no/smurf/) to probe nets for smurf amplification, and to report incidents where a listed network has been used in an attack against you.
Other related siteshttp://www.quadrunner.com/~chuegen/smurf.txt - Craig Huegen's document on smurfing.
http://www.mcs.net/smurf/ - MCSNet's Smurf Information Page.
AuthorIdea and implementation by Oystein Homelien [firstname.lastname@example.org] (Edison@IRC). This site is hosted by PowerTech Information Systems AS in Oslo, Norway.