Broadcast pings.
Jamie Scheinblum
jamie at fast.net
Mon Dec 22 21:04:30 UTC 1997
Yeah that was my initial thought, but we've been hit now from multiple
nameservers (and constantly machines that are named "ns" or appear in a
'nic record). I just found it odd that we're only getting hit from
machines matching this pattern. I guess it was random, but you never
know :-)
Best regards,
Jamie Scheinblum - FASTNET(tm) / You Tools Corporation
jamie at fast.net (610)954-5200 http://www.fast.net/
FASTNET - Business and Personal Internet Solutions
> -----Original Message-----
> From: Al Roethlisberger [SMTP:aroethli at cisco.com]
> Sent: Monday, December 22, 1997 3:23 PM
> To: Jamie Scheinblum
> Cc: nanog at merit.edu
> Subject: Re: Broadcast pings.
>
> At 12:50 PM 12/22/97 -0500, you wrote:
> >Has anyone seen an increase of broadcast pings, where the source
> route
> >appears to be from a nameserver?
> >
> >We took a look through our access-list logs, and it seems all of the
> >attempted attacks during the last few days have had an IP-source of a
> >nameserver.
> >
> >Just thought it was curious.
> >
> >Best regards,
> >
> >Jamie Scheinblum - FASTNET(tm) / You Tools Corporation
> >jamie at fast.net (610)954-5200 http://www.fast.net/
> >FASTNET - Business and Personal Internet Solutions
> >
>
>
> Jamie,
>
> It is probably just someone 'smurfing', where they fudge the source ip
> of
> the broadcast ping request. The actual source of the ICMP request is
> probably entirely different than the nameserver you are seeing in your
> logs....hence the difficulty(although not impossible) tracking these
> attacks.
>
> I would imagine that this poor nameserver in question is also
> suffering from
> the attack as well when all the pinged devices attempt to respond.
> You
> probably have one or more folks using the same dummy address for the
> source.
> This is the nature of the 'smurf' problem.
>
> Check out:
>
> http://www.quadrunner.com/~chuegen/smurf.cgi
>
> This is a co-worker of mine that has put together some useful
> background and
> tips addressing this issue.
>
> Hope that helps.
>
> al
>
More information about the NANOG
mailing list