SMURF amplifier block list
Michael Shields
shields at crosslink.net
Mon Apr 13 09:51:03 UTC 1998
In article <Pine.BSI.3.93.980412085359.7879a-100000 at sidhe.memra.com>,
Michael Dillon <michael at memra.com> wrote:
> If Karl will supply us the IP address of a non-critical machine in his
> network then we only need one list maintained. Anyone can then add new
> networks to Karl's list simply by smurfing his non-critical machine and it
> will still meet his criteria of a verified atack.
Careful. I could, from a well-connected machine, launch a stream of
forged ICMP echo replies from various 199.166.227.x addresses. This
would cause it to look like junction.net was the source of a smurf,
and cause them to be blocked.
Well, in the case of junction.net, there is no such forgery needed.
~$ host www.memra.com
www.memra.com A 199.166.227.56
~$ ping 199.166.227.255
PING 199.166.227.255 (199.166.227.255): 56 data bytes
64 bytes from 134.87.109.226: icmp_seq=0 ttl=243 time=110.2 ms
64 bytes from 199.166.227.41: icmp_seq=0 ttl=51 time=111.0 ms (DUP!)
64 bytes from 199.166.227.32: icmp_seq=0 ttl=242 time=112.2 ms (DUP!)
64 bytes from 199.166.227.54: icmp_seq=0 ttl=51 time=112.8 ms (DUP!)
64 bytes from 199.166.227.5: icmp_seq=0 ttl=51 time=113.7 ms (DUP!)
64 bytes from 199.166.227.27: icmp_seq=0 ttl=51 time=114.3 ms (DUP!)
64 bytes from 199.166.227.22: icmp_seq=0 ttl=51 time=115.0 ms (DUP!)
64 bytes from 199.166.227.1: icmp_seq=0 ttl=51 time=115.7 ms (DUP!)
64 bytes from 199.166.227.12: icmp_seq=0 ttl=242 time=116.4 ms (DUP!)
64 bytes from 199.166.227.19: icmp_seq=0 ttl=51 time=117.0 ms (DUP!)
64 bytes from 199.166.227.21: icmp_seq=0 ttl=242 time=117.7 ms (DUP!)
64 bytes from 199.166.227.28: icmp_seq=0 ttl=51 time=118.3 ms (DUP!)
64 bytes from 199.166.227.26: icmp_seq=0 ttl=242 time=119.0 ms (DUP!)
--- 199.166.227.255 ping statistics ---
1 packets transmitted, 1 packets received, +12 duplicates, 0% packet loss
round-trip min/avg/max = 110.2/114.8/119.0 ms
--
Shields, CrossLink.
More information about the NANOG
mailing list