nanog mailing list archives
Re: Huge smurf attack
From: Phil Howard <phil () whistler intur net>
Date: Mon, 11 Jan 1999 11:52:09 -0600 (CST)
Jeremiah Kristal wrote:
I agree that clueful operators filter RFC1918 addresses at their borders and that they do not accept advertisements for RFC1918 space, however, there is a specific network (10.177.180/24) that appears again and again in smurf logs. I find it rather interesting that with 65k available /24s in the 10/8 space, one specific /24 pops up much more often than any other. Granted it's not that large an amplifier, but it seems odd that even an RFC1918 network would be used as an amplifier for this long without someone finding and securing it.
My biggest suspicion is that the clueless script kiddie(s) involved did a scan for amplifiers w/o regard to RFC1918 (the number of addresses in RFC1918 is a mere 0.476% of the whole possible range), and never filtered them out. They perhaps did make the attack slightly worse than w/o, so maybe leaving them in was intended. Now if we can identify who has 10.177.180/24 internally, we could be getting somewhere. One thing that could be useful when reducing attack sniff data to a list of addresses is to produce a frequency of occurrence for each address. There may be wide ranges in the frequencies. If 10.177.180/24 shows up very rarely compared to the rest, that could indicate that the attack is originating on a relatively low speed network with 10.177.180/24 being behind that network. OTOH, if it is about the same, then the bandwidth for that network would be relatively high. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
Current thread:
- Huge smurf attack Brandon Ross (Jan 09)
- Re: Huge smurf attack Brandon Ross (Jan 09)
- Re: Huge smurf attack Brandon Ross (Jan 09)
- <Possible follow-ups>
- Re: Huge smurf attack Brandon Ross (Jan 09)
- Re: Huge smurf attack Phil Howard (Jan 09)
- Re: Huge smurf attack Jeremiah Kristal (Jan 11)
- Re: Huge smurf attack Joe Shaw (Jan 11)
- Re: Huge smurf attack Phil Howard (Jan 11)
- Re: Huge smurf attack Jeremiah Kristal (Jan 11)
- Re: Huge smurf attack Phil Howard (Jan 11)
- Re: Huge smurf attack Dalvenjah FoxFire (Jan 11)
- Re: Huge smurf attack Alex P. Rudnev (Jan 11)
- Re: Huge smurf attack Dan Hollis (Jan 11)
- Solution: Re: Huge smurf attack Jon Lewis (Jan 11)
- Re: Solution: Re: Huge smurf attack Dan Hollis (Jan 11)
- Re: Solution: Re: Huge smurf attack Jon Lewis (Jan 11)
- Re: Solution: Re: Huge smurf attack Phil Howard (Jan 11)
- Re: Solution: Re: Huge smurf attack Daniel Senie (Jan 11)
- Re: Solution: Re: Huge smurf attack Dan Hollis (Jan 11)
- Re: Solution: Re: Huge smurf attack Craig A. Huegen (Jan 12)
- Re: Huge smurf attack Phil Howard (Jan 09)
- Re: Huge smurf attack Brandon Ross (Jan 09)