Huge smurf attack
phil at whistler.intur.net
Mon Jan 11 16:39:59 UTC 1999
Jeremiah Kristal wrote:
> I find it even more interesting how often I see 10.177.180.0/24 showing up
> in smurf logs. Is there some equipment that defaults to this network,
> some manual that uses this as an example, or is there a specific LAN that
> gets hit on every major smurf attack? If it's really one network, you
> would think we could find and provide clue to the operator(s).
It could be leaking to the Internet in _some_ places (but it isn't here).
It might be internal to the attacker's network, in which case the attacker
is using his bandwidth to wage the attack. It might be internal to the
ISP of the attacker, in which case he's just using his ISP's bandwidth
(the attacker could still wage this from an analog dialup). It could be
remotely possible that it is internal to mindspring, but for that to be,
that network would have to be announced from mindspring (highly doubtful)
and get to the attacker's network (highly doubtful), or maybe the attacker
is actually a mindspring customer (echo requests go out, massive replies
come back) but this would make it way to easy to track down and mindspring
surely has filters on their dialups to block spoofing. One other possible
cause is that the attacker is spoofing those replies as a secret signature.
All outgoing packets from my network are denied unless their source is one
of my netblocks. Obviously the attacker is using someone who will not or
cannot do that.
-- *-----------------------------* Phil Howard KA9WGN * --
-- | Inturnet, Inc. | Director of Internet Services | --
-- | Business Internet Solutions | eng at intur.net | --
-- *-----------------------------* philh at intur.net * --
More information about the NANOG