nanog mailing list archives

Re: Huge smurf attack

From: Brandon Ross <bross () mindspring net>
Date: Mon, 11 Jan 1999 22:17:32 -0500 (EST)

On Mon, 11 Jan 1999, Phil Howard wrote:

Jeremiah Kristal wrote:

I find it even more interesting how often I see 10.177.180.0/24 showing up
in smurf logs.


It could be leaking to the Internet in _some_ places (but it isn't here).
It might be internal to the attacker's network, in which case the attacker
is using his bandwidth to wage the attack.  It might be internal to the
ISP of the attacker, in which case he's just using his ISP's bandwidth
(the attacker could still wage this from an analog dialup).


Those are all possible, but...

It could be remotely possible that it is internal to mindspring, but for
that to be, that network would have to be announced from mindspring
(highly doubtful)  and get to the attacker's network (highly doubtful),
or maybe the attacker is actually a mindspring customer (echo requests
go out, massive replies come back) but this would make it way to easy to
track down and mindspring surely has filters on their dialups to block
spoofing.


Actually we aren't currently using the 10/8 network at all, so that's not
it.

One other possible cause is that the attacker is spoofing those replies
as a secret signature.


That's possible too, however the most likely explanation is that there is
an amplifying network out there somewhere that has this 10.177.180.0/24
network on the same Ethernet segment as some other, publicly accessible
network.  Remember that when a directed broadcast is sent to an Ethernet
(assuming that directed broadcast is turned on in the router) that the NIC
will convert it to a MAC broadcast.  Most (all?) OS's don't actually check
to see if the destination IP address is actually the broadcast of the
subnet that they are on, they just respond.

Brandon Ross            Network Engineering     404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc.  info () mindspring com
                                                            ICQ:  2269442

Stop Smurf attacks!  Configure your router interfaces to block directed
broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.

Current thread:

Re: Solution: Re: Huge smurf attack, (continued)
- - - Re: Solution: Re: Huge smurf attack Brandon Ross (Jan 11)
    - Message not available
    - Re: Solution: Re: Huge smurf attack Jay R. Ashworth (Jan 13)
    - Re: Solution: Re: Huge smurf attack Jon Lewis (Jan 12)
    - Re: Solution: Re: Huge smurf attack Steve Gibbard (Jan 12)
    - Re: Solution: Re: Huge smurf attack Alex P. Rudnev (Jan 12)
    - Re: Huge smurf attack Phil Howard (Jan 11)
    - Re: Huge smurf attack Michael Dillon (Jan 12)
    - Re: Huge smurf attack Steven J. Sobol (Jan 12)
    - Message not available
    - Re: Huge smurf attack Dalvenjah FoxFire (Jan 12)
    - Re: Huge smurf attack Ray Everett-Church (Jan 12)
    - Re: Huge smurf attack Brandon Ross (Jan 11)
- Re: Huge smurf attack Phil Howard (Jan 11)
- Re: Huge smurf attack Dean Anderson (Jan 12)
  - Re: Huge smurf attack Dalvenjah FoxFire (Jan 12)
    - Message not available
    - Re: Huge smurf attack Jay R. Ashworth (Jan 13)
- Re: Huge smurf attack Dean Anderson (Jan 12)