No subject
Sean Butler
sebutler at us.ibm.com
Thu Jun 4 18:49:35 UTC 1998
John Fraizer wrote:
>The thing that makes it "interesting" is the fact that most implementations
>DO send an ICMP unreach back. The ICMP Unreach traffic alone generated in
>the neighborhood of 1.7Mb before they routed the netblock in question to a
>loopback interface on the 7507. The attacker was sending less that 300Kb
>of traffic and consuming 2Mb.
Any idea where that much amplification is coming from? For smurf with an echo
request to
a broadcast, its easy to see why there is so much amplification. But for a TCP
or UDP
packet to port 0, wouldn't just one port unreachable be sent back to the
(spoofed) source?
Or is it a broadcast TCP or UDP packet to port 0 ???
Thanks,
Sean Butler, IBM Global Services
More information about the NANOG
mailing list