Spoofed Packets

Henry Linneweh linneweh at concentric.net
Mon Apr 20 16:23:50 UTC 1998

Sounds like that new nestea multi-protocol nuke

Gary R. Mensenares wrote:

> Aaaarrrggghhh! I have been under attack since 2:30AM HKT and it only
> stopped just now.
> I am quite familiar with smurfs. As a matter of fact, I have turned off
> directed broadcast on every Cisco router I have. Constantly I am reminding
> my clients to do the same thing. It is sad that some people out there
> arent doing their part.
> But what bothers me the most is this most recent attack. Smurfs are ICMPs
> right? Well based on the logs I got, I was receiving all sorts of packets
> from "non-routable" addresses. This floored my International Private Line
> to MCI. I dont think they are smurfs because they do not belong to the
> same network. The protocols vary too, udp, icmp and tcp. Even the ports
> change. In other words, nothing is common except that they all pass thru
> the same gateway to our network.
> Being an ISP outside the US, bandwidth is very scarce and thus expensive
> from where I come from. I am filtering these packets so they never reach
> my clients. But still, the evil payload is dropped on my doorstep and it
> still consumes my precious bandwidth. Shouldnt MCI, or any other provider
> be filtering this on their borders? And if they are, there shouldn't be
> any packets of this variety running around their links, right? So how do
> these little blasted packets end up running around the internet?
> I am going to be very grateful if some kind souls can help point me to
> documentation on how to track these down and possible effectively prevent
> it from eating my line.
> Thanks!
> ---
> Gary Mensenares
> IPhil Communications Network Incorporated


More information about the NANOG mailing list