Re: smurf scanning

[rob () NETWORKICE COM (Robert Graham)]

My home computer is on a DSL line that gets a lot of smurf/fraggle scans,
and appears to be used occasionally as an amplifier. I see constant incoming
packets to x.x.x.0 and x.x.x.255 using UDP port 7/echo and ICMP type 8/ping.
Most of these are simple scans, but once someone was actively
smurfing/fraggling.

My guess is that my ISP is listed as a smurf amplifier, and is checked every
so often, and occasionally used. I really should complain to my ISP, but I
just have too much fun watching hackers at play.

Robert Graham

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of Jon Lewis
Sent: Sunday, February 20, 2000 3:18 PM
To: INCIDENTS () securityfocus com
Subject: smurf scanning

I was scanning through some firewall logs for a client this weekend and
noticed 40 scans in the past week for either 8/0/icmp x.y.z.0 or 8/0/icmp
x.y.z.255 (they have a T1 to the net and a single /24).  Alot of the scans
came from dialups in Italy or the UK.  A few were hacked Linux boxes (one
in the US, one in Italy, one in Korea).  I guess the people who use smurf
have to continually hunt for networks appropriate for smurf
amplification...but I didn't realize they were this actively scanning the
net.

Also present in the logs were people scanning the entire /24 for dns
servers, and other less common protocols.  Are others seeing/noticing
similar things?

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  Spammers will be winnuked or
 System Administrator        |  nestea'd...whatever it takes
 Atlantic Net                |  to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________