Huge smurf attack
Phil Howard
phil at whistler.intur.net
Mon Jan 11 17:52:09 UTC 1999
Jeremiah Kristal wrote:
> I agree that clueful operators filter RFC1918 addresses at their borders
> and that they do not accept advertisements for RFC1918 space, however,
> there is a specific network (10.177.180/24) that appears again and again
> in smurf logs. I find it rather interesting that with 65k available /24s
> in the 10/8 space, one specific /24 pops up much more often than any
> other. Granted it's not that large an amplifier, but it seems odd that
> even an RFC1918 network would be used as an amplifier for this long
> without someone finding and securing it.
My biggest suspicion is that the clueless script kiddie(s) involved did
a scan for amplifiers w/o regard to RFC1918 (the number of addresses in
RFC1918 is a mere 0.476% of the whole possible range), and never filtered
them out. They perhaps did make the attack slightly worse than w/o, so
maybe leaving them in was intended. Now if we can identify who has
10.177.180/24 internally, we could be getting somewhere.
One thing that could be useful when reducing attack sniff data to a list
of addresses is to produce a frequency of occurrence for each address.
There may be wide ranges in the frequencies. If 10.177.180/24 shows up
very rarely compared to the rest, that could indicate that the attack is
originating on a relatively low speed network with 10.177.180/24 being
behind that network. OTOH, if it is about the same, then the bandwidth
for that network would be relatively high.
--
-- *-----------------------------* Phil Howard KA9WGN * --
-- | Inturnet, Inc. | Director of Internet Services | --
-- | Business Internet Solutions | eng at intur.net | --
-- *-----------------------------* philh at intur.net * --
More information about the NANOG
mailing list