Re: Huge smurf attack

[Phil Howard <phil () whistler intur net>]

Jeremiah Kristal wrote:

> I agree that clueful operators filter RFC1918 addresses at their borders
> and that they do not accept advertisements for RFC1918 space, however,
> there is a specific network (10.177.180/24) that appears again and again
> in smurf logs.  I find it rather interesting that with 65k available /24s
> in the 10/8 space, one specific /24 pops up much more often than any
> other.  Granted it's not that large an amplifier, but it seems odd that
> even an RFC1918 network would be used as an amplifier for this long
> without someone finding and securing it.

My biggest suspicion is that the clueless script kiddie(s) involved did
a scan for amplifiers w/o regard to RFC1918 (the number of addresses in
RFC1918 is a mere 0.476% of the whole possible range), and never filtered
them out.  They perhaps did make the attack slightly worse than w/o, so
maybe leaving them in was intended.  Now if we can identify who has
10.177.180/24 internally, we could be getting somewhere.

One thing that could be useful when reducing attack sniff data to a list
of addresses is to produce a frequency of occurrence for each address.
There may be wide ranges in the frequencies.  If 10.177.180/24 shows up
very rarely compared to the rest, that could indicate that the attack is
originating on a relatively low speed network with 10.177.180/24 being
behind that network.  OTOH, if it is about the same, then the bandwidth
for that network would be relatively high.

-- 
 --    *-----------------------------*      Phil Howard KA9WGN       *    --
  --   | Inturnet, Inc.              | Director of Internet Services |   --
   --  | Business Internet Solutions |       eng at intur.net        |  --
    -- *-----------------------------*      philh at intur.net       * --