nanog mailing list archives
RE: Smurf Amp Nets
From: "Martin, Christian" <CMartin () mercury balink com>
Date: Fri, 19 Jun 1998 14:19:37 -0400
On Thu, Jun 18, 1998 at 10:16:38PM -0700, Vern Paxson wrote:0.0.0.0 10.0.4.0 127.0.0.0 255.255.255.0These are pretty cool, I must say. Exactly how does the smurf attacker route their echo requests to them? VernThey are straight forged packet flows.
These also can be situations where layer two devices have private networks mixed in with public networks on the same VLAN. Remember broadcast address translation between layer 3 & 2 through a store-and-forward (or cut-through - any MIN type box will do this) switch will generate MAC layer frames and deliver them out of each port in the VLAN. I know broadcast pings on a Cisco device that is connected to a switch, where the output interface has IP block A, and the VLAN has IP blocks C, D, E, will result in replies from all networks connected to the VLAN, not just the IP block configured on the router. This is why on almost every attack we've seen here, there have been RFC 1918 addresses invlved as amplifiers. Christian
Current thread:
- Re: Smurf Amp Nets, (continued)
- Re: Smurf Amp Nets Oystein Homelien (Jun 18)
- Re: Smurf Amp Nets Jon Lewis (Jun 17)
- RE: Smurf Amp Nets Morgan Sarges (Jun 18)
- Re: Smurf Amp Nets Richard Thomas (Jun 17)
- Re: Smurf Amp Nets Jon Lewis (Jun 17)
- Re: Smurf Amp Nets Richard Thomas (Jun 17)
- Re: Smurf Amp Nets Vern Paxson (Jun 18)
- Re: Smurf Amp Nets Karl Denninger (Jun 19)
- Re: Smurf Amp Nets Craig A. Huegen (Jun 19)
- Re: Smurf Amp Nets Richard Thomas (Jun 19)
- RE: Smurf Amp Nets Martin, Christian (Jun 19)