No subject

• Previous message (by thread): US West and RADSL
• Next message (by thread): No subject
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

John Fraizer wrote:
>The thing that makes it "interesting" is the fact that most implementations
>DO send an ICMP unreach back.  The ICMP Unreach traffic alone generated in
>the neighborhood of 1.7Mb before they routed the netblock in question to a
>loopback interface on the 7507.  The attacker was sending less that 300Kb
>of traffic and consuming 2Mb.


Any idea where that much amplification is coming from?  For smurf with an echo
request to
a broadcast, its easy to see why there is so much amplification.  But for a TCP
or UDP
packet to port 0, wouldn't just one port unreachable be sent back to the
(spoofed) source?
Or is it a broadcast TCP or UDP  packet to port 0 ???

Thanks,
Sean Butler, IBM Global Services

• Previous message (by thread): US West and RADSL
• Next message (by thread): No subject
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]