nanog mailing list archives

RE: Broadcast pings.

From: Jamie Scheinblum <jamie () fast net>
Date: Mon, 22 Dec 1997 16:04:30 -0500

Yeah that was my initial thought, but we've been hit now from multiple
nameservers (and constantly machines that are named "ns" or appear in a
'nic record).  I just found it odd that we're only getting hit from
machines matching this pattern.  I guess it was random, but you never
know :-)

Best regards,

Jamie Scheinblum - FASTNET(tm) / You Tools Corporation
jamie () fast net (610)954-5200 http://www.fast.net/
FASTNET - Business and Personal Internet Solutions

-----Original Message-----
From: Al Roethlisberger [SMTP:aroethli () cisco com]
Sent: Monday, December 22, 1997 3:23 PM
To:   Jamie Scheinblum
Cc:   nanog () merit edu
Subject:      Re: Broadcast pings.

At 12:50 PM 12/22/97 -0500, you wrote:

Has anyone seen an increase of broadcast pings, where the source

route

appears to be from a nameserver?

We took a look through our access-list logs, and it seems all of the
attempted attacks during the last few days have had an IP-source of a
nameserver.

Just thought it was curious.

Best regards,

Jamie Scheinblum - FASTNET(tm) / You Tools Corporation
jamie () fast net (610)954-5200 http://www.fast.net/
FASTNET - Business and Personal Internet Solutions



Jamie,

It is probably just someone 'smurfing', where they fudge the source ip
of
the broadcast ping request.  The actual source of the ICMP request is
probably entirely different than the nameserver you are seeing in your
logs....hence the difficulty(although not impossible) tracking these
attacks.

I would imagine that this poor nameserver in question is also
suffering from
the attack as well when all the pinged devices attempt to respond.
You
probably have one or more folks using the same dummy address for the
source.
This is the nature of the 'smurf' problem.

Check out:

http://www.quadrunner.com/~chuegen/smurf.cgi

This is a co-worker of mine that has put together some useful
background and
tips addressing this issue.

Hope that helps.

al

Current thread:

Broadcast pings. Jamie Scheinblum (Dec 22)
- Re: [nanog] Broadcast pings. Stephen Balbach (Dec 22)
- Re: Broadcast pings. Joe Shaw (Dec 23)
  - Re: Broadcast pings. Stephen Balbach (Dec 23)
  - Re: Broadcast pings. Phil Howard (Dec 23)
    - Re: Broadcast pings. Paul Ferguson (Dec 23)
    - Re: Broadcast pings. Dean Anderson (Dec 23)
    - Message not available
    - Re: Broadcast pings. Jay R. Ashworth (Dec 24)
- <Possible follow-ups>
- Re: Broadcast pings. Al Roethlisberger (Dec 22)
- RE: Broadcast pings. Al Roethlisberger (Dec 22)
- RE: Broadcast pings. Jamie Scheinblum (Dec 22)