Huge smurf attack

• Previous message (by thread): Huge smurf attack
• Next message (by thread): Huge smurf attack
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 11 Jan 1999, Phil Howard wrote:

> Jeremiah Kristal wrote:
> 
> > I find it even more interesting how often I see 10.177.180.0/24 showing up
> > in smurf logs.
> 
> It could be leaking to the Internet in _some_ places (but it isn't here).
> It might be internal to the attacker's network, in which case the attacker
> is using his bandwidth to wage the attack.  It might be internal to the
> ISP of the attacker, in which case he's just using his ISP's bandwidth
> (the attacker could still wage this from an analog dialup).

Those are all possible, but...

> It could be remotely possible that it is internal to mindspring, but for
> that to be, that network would have to be announced from mindspring
> (highly doubtful)  and get to the attacker's network (highly doubtful),
> or maybe the attacker is actually a mindspring customer (echo requests
> go out, massive replies come back) but this would make it way to easy to
> track down and mindspring surely has filters on their dialups to block
> spoofing. 

Actually we aren't currently using the 10/8 network at all, so that's not
it.

> One other possible cause is that the attacker is spoofing those replies
> as a secret signature. 

That's possible too, however the most likely explanation is that there is
an amplifying network out there somewhere that has this 10.177.180.0/24
network on the same Ethernet segment as some other, publicly accessible
network.  Remember that when a directed broadcast is sent to an Ethernet
(assuming that directed broadcast is turned on in the router) that the NIC
will convert it to a MAC broadcast.  Most (all?) OS's don't actually check
to see if the destination IP address is actually the broadcast of the
subnet that they are on, they just respond.

Brandon Ross            Network Engineering     404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc.  info at mindspring.com
                                                            ICQ:  2269442

Stop Smurf attacks!  Configure your router interfaces to block directed
broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.

• Previous message (by thread): Huge smurf attack
• Next message (by thread): Huge smurf attack
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]