smurf amp nets, the registry (SAR)

Brandon Ross bross at mindspring.net
Wed Jun 17 00:38:22 UTC 1998


On Tue, 16 Jun 1998, Paul Mansfield wrote:

> On Mon, 15 Jun 1998, Oystein Homelien wrote:
> > the prefix length is wrong, but in other cases i am at a loss - the hosts
> > in the probed network actually seems to return more than one response per
> > request.  I have no idea why.  We saw this with the 193.55.112.0/24
> > network, for instance (which has now been fixed).
> 
> this could be because
> a) there could be a 10.0 internal LAN remapped into a normal IP space?

Actually this will happen if there's a private network on the same
ethernet as a public network.  For example, in Cisco parlance, the
following config would do it:

Ethernet0
 ip address 10.0.0.1 255.255.255.0 secondary
 ip address 193.55.112.1 255.255.255.0

Since the broadcast to 193.55.112.255 gets sent to the all 1's MAC
address, all the devices on that LAN respond, some of which are using the
private IP space.

Brandon Ross            Network Engineering     404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc.  info at mindspring.com
AOL Instant Messenger:  Brandon NR                          ICQ:  2269442

Stop Smurf attacks!  Configure your router interfaces to block directed
broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.




More information about the NANOG mailing list