About last smurf floods - additional info

Mikael Abrahamsson swmike at swm.pp.se
Wed Nov 25 12:26:56 UTC 1998


On Wed, 25 Nov 1998, Alex P. Rudnev wrote:

>  - there was 3 or 4 SMURF attacks againts .PSU.EDU servers. 
> May be, some of them was forwarded to DAL.NET because it's IRC server 
> and all (ALL) this attacks was done to show _I am very BIG and you are 
> NOTHING_ in IRC conversation, or _I have 10 shells in XXX.GOV and you 
> have not_ or _My shells are better than yours_.

A lot of these people have already gone back to SYN flooding from spoofed
random IPs. Kills the CPU in your router in notime. Less bandwidth is
wasted though, 10-20 mbit is usually enough for them to get results. They
cannot amplify it though, always something...

What really should be fixed is not the smurf relays, but prohibit people
from spoofing packets. Most DoS rely on your ability to send packets with
a sender adress that doesnt belong on your local network. If this could be
stopped we would see much less attacks and the attacks would be easier to
trace.

-----
Mikael Abrahamsson    email: swmike at swm.pp.se




More information about the NANOG mailing list