aroethli at cisco.com
Mon Dec 22 20:23:04 UTC 1997
At 12:50 PM 12/22/97 -0500, you wrote:
>Has anyone seen an increase of broadcast pings, where the source route
>appears to be from a nameserver?
>We took a look through our access-list logs, and it seems all of the
>attempted attacks during the last few days have had an IP-source of a
>Just thought it was curious.
>Jamie Scheinblum - FASTNET(tm) / You Tools Corporation
>jamie at fast.net (610)954-5200 http://www.fast.net/
>FASTNET - Business and Personal Internet Solutions
It is probably just someone 'smurfing', where they fudge the source ip of
the broadcast ping request. The actual source of the ICMP request is
probably entirely different than the nameserver you are seeing in your
logs....hence the difficulty(although not impossible) tracking these attacks.
I would imagine that this poor nameserver in question is also suffering from
the attack as well when all the pinged devices attempt to respond. You
probably have one or more folks using the same dummy address for the source.
This is the nature of the 'smurf' problem.
This is a co-worker of mine that has put together some useful background and
tips addressing this issue.
Hope that helps.
More information about the NANOG