[nsp] known networks for broadcast ping attacks

• Previous message (by thread): [nsp] known networks for broadcast ping attacks
• Next message (by thread): [nsp] known networks for broadcast ping attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 11 Aug 1997, some anonymous source wrote:

> the program you are referring to is smurf.c which i believe was already
> discussed on this list.  

I knew that...but I'd forgotten the name of the program.

> the answer to the problem is the fact that there are hard coded
> broadcast addresses within the programs.  the people who are taking out
> servers from irc are the idiots who would not know how to change these. 

This may be true, but what's to stop the writers of smurf and the other
programs from distributing version 2 with all new network addresses?
Fixing the 119 networks used to attack FDT will help, but I doubt it will
solve the problem.

Here's a sorted list of the networks used to attack FDT (pulled from my
1.5mb of tcpdump data which was just a brief sample of the data from our
attack Sunday.  If any of them belong to you, shame on you.

The really interesting ones are the 0.0.0.0 and 255.255.255.255 sources.

18:55:54.836177 0.0.0.0 > 205.229.48.20: icmp: echo reply (ttl 245, id
61586)
18:55:55.816177 255.255.255.255 > 205.229.48.20: icmp: echo reply (ttl
249, id 4

Are these just misconfigured devices on some network from the list below?
I suppose for bonus points, I could write a script to get the contact
addresses from as many of these as possible and email them a note about
how they're being used for network attacks.

0.0.0
4.0.1
4.0.144
4.0.84
38.146.219
128.101.101
128.101.233
128.101.87
128.102.18
128.135.181
128.135.23
128.161.1
128.190.156
129.16.1
129.237.128
129.237.129
129.237.130
129.237.131
129.237.2
129.237.80
129.237.83
129.237.86
129.237.87
129.241.181
129.241.56
129.241.57
129.43.7
130.132.1
130.132.143
130.132.159
131.119.0
131.119.58
134.24.38
134.84.254
136.142.185
136.142.254
137.39.130
137.39.136
137.39.166
137.39.184
144.228.20
144.232.8
160.147.28
163.179.230
165.154.1
166.48.35
170.140.3
170.140.35
170.140.4
170.140.5
170.140.6
192.160.127
192.88.114
192.9.9
193.10.85
198.137.140
198.163.155
198.3.101
198.41.0
198.53.119
198.53.145
198.53.33
198.53.44
198.80.46
199.0.154
199.0.216
199.166.6
199.183.24
199.199.93
199.227.0
199.227.28
199.242.23
204.112.14
204.162.96
204.186.0
204.186.95
204.225.245
204.50.176
204.7.246
204.7.247
204.70.59
204.71.242
205.147.225
205.149.75
205.150.207
205.150.221
205.164.8
205.177.10
205.177.4
205.211.8
205.211.9
205.252.5
205.253.29
206.102.224
206.129.122
206.13.28
206.141.250
206.161.255
206.170.28
206.171.128
206.222.98
206.54.225
206.98.160
207.107.244
207.137.200
207.154.150
207.171.87
207.181.65
207.19.74
207.216.162
207.240.8
207.25.16
207.51.36
207.67.241
207.91.124
209.12.0
209.20.130
209.82.1
255.255.255

------------------------------------------------------------------
 Jon Lewis <jlewis at fdt.net>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/message.
 Florida Digital Turnpike    |  
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____

• Previous message (by thread): [nsp] known networks for broadcast ping attacks
• Next message (by thread): [nsp] known networks for broadcast ping attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]