Broadcast pings.

• Previous message (by thread): [nanog] Broadcast pings.
• Next message (by thread): Broadcast pings.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 12:50 PM 12/22/97 -0500, you wrote:
>Has anyone seen an increase of broadcast pings, where the source route
>appears to be from a nameserver?
>
>We took a look through our access-list logs, and it seems all of the
>attempted attacks during the last few days have had an IP-source of a
>nameserver.
>
>Just thought it was curious.
>
>Best regards,
>
>Jamie Scheinblum - FASTNET(tm) / You Tools Corporation
>jamie at fast.net (610)954-5200 http://www.fast.net/
>FASTNET - Business and Personal Internet Solutions
>


Jamie,

It is probably just someone 'smurfing', where they fudge the source ip of
the broadcast ping request.  The actual source of the ICMP request is
probably entirely different than the nameserver you are seeing in your
logs....hence the difficulty(although not impossible) tracking these attacks.

I would imagine that this poor nameserver in question is also suffering from
the attack as well when all the pinged devices attempt to respond.  You
probably have one or more folks using the same dummy address for the source.
This is the nature of the 'smurf' problem.

Check out:

http://www.quadrunner.com/~chuegen/smurf.cgi

This is a co-worker of mine that has put together some useful background and
tips addressing this issue.

Hope that helps.

al

• Previous message (by thread): [nanog] Broadcast pings.
• Next message (by thread): Broadcast pings.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]