Re: [nsp] known networks for broadcast ping attacks

["Jay R. Ashworth" <jra () scfn thpl lib fl us>]

On Wed, Jul 30, 1997 at 03:47:26PM -0400, Jordyn A. Buchanan wrote:
> The LAN is being used indirectly to attack another network.  Pings are
> spoofed as originating from the machine that is being attacked and sent to
> the broadcast address on another network.  This causes every machine on the
> receiving network to send an ECHO_RESPONSE to the machine being attacked,
> esentially creating a huge multiplying effect on a ping flood attack.
>
> Apparently, the MAE-East LAN is one of the networks that attackers are
> using to flood other hosts.

Time to attempt to put my other foot in my mouth.

Ought IP stack implementations not to refuse to reply to ECHO_REQUEST
packets with destination address which are broadcast addresses?

Ok, yes, I know that CIDR makes this harder, but knowing which nets
fall on non-octet boundaries is non-obvious, too, and this particular
attack wasn't trying...

.255 is _always_ a broadcast address, no?

Cheers,
-- jra
-- 
Jay R. Ashworth                                                jra () baylink com
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "People propose, science studies, technology
Tampa Bay, Florida          conforms."  -- Dr. Don Norman      +1 813 790 7592