Smurf Amp Nets

• Previous message (by thread): Smurf Amp Nets
• Next message (by thread): Smurf Amp Nets
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jun 18, 1998 at 10:16:38PM -0700, Vern Paxson wrote:
==>> 0.0.0.0
==>> 10.0.4.0
==>> 127.0.0.0
==>> 255.255.255.0
==>
==>These are pretty cool, I must say.  Exactly how does the smurf attacker
==>route their echo requests to them?

For 0.0.0.0 and 255.255.255.255 (common responses to the echo requests),
it's usually due to some network devices which don't check to see if
they have a proper IP address before responding.

i.e., someone didn't configure their printer with an IP address but it
replies anyway.

For 127.0.0.1, I generally see this when a UNIX box is the router
which forwards the directed-broadcast--it replies to itself with a
packet from 127.0.0.1, which is also broken.

10.0.4.0 is certainly interesting, and probably is due to two IP
subnets being run on the same wire.

/cah

• Previous message (by thread): Smurf Amp Nets
• Next message (by thread): Smurf Amp Nets
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]