nanog mailing list archives
Re: Huge smurf attack
From: Brandon Ross <bross () mindspring net>
Date: Mon, 11 Jan 1999 22:17:32 -0500 (EST)
On Mon, 11 Jan 1999, Phil Howard wrote:
Jeremiah Kristal wrote:I find it even more interesting how often I see 10.177.180.0/24 showing up in smurf logs.It could be leaking to the Internet in _some_ places (but it isn't here). It might be internal to the attacker's network, in which case the attacker is using his bandwidth to wage the attack. It might be internal to the ISP of the attacker, in which case he's just using his ISP's bandwidth (the attacker could still wage this from an analog dialup).
Those are all possible, but...
It could be remotely possible that it is internal to mindspring, but for that to be, that network would have to be announced from mindspring (highly doubtful) and get to the attacker's network (highly doubtful), or maybe the attacker is actually a mindspring customer (echo requests go out, massive replies come back) but this would make it way to easy to track down and mindspring surely has filters on their dialups to block spoofing.
Actually we aren't currently using the 10/8 network at all, so that's not it.
One other possible cause is that the attacker is spoofing those replies as a secret signature.
That's possible too, however the most likely explanation is that there is an amplifying network out there somewhere that has this 10.177.180.0/24 network on the same Ethernet segment as some other, publicly accessible network. Remember that when a directed broadcast is sent to an Ethernet (assuming that directed broadcast is turned on in the router) that the NIC will convert it to a MAC broadcast. Most (all?) OS's don't actually check to see if the destination IP address is actually the broadcast of the subnet that they are on, they just respond. Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. info () mindspring com ICQ: 2269442 Stop Smurf attacks! Configure your router interfaces to block directed broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.
Current thread:
- Re: Solution: Re: Huge smurf attack, (continued)
- Re: Solution: Re: Huge smurf attack Brandon Ross (Jan 11)
- Message not available
- Re: Solution: Re: Huge smurf attack Jay R. Ashworth (Jan 13)
- Re: Solution: Re: Huge smurf attack Jon Lewis (Jan 12)
- Re: Solution: Re: Huge smurf attack Steve Gibbard (Jan 12)
- Re: Solution: Re: Huge smurf attack Alex P. Rudnev (Jan 12)
- Re: Huge smurf attack Phil Howard (Jan 11)
- Re: Huge smurf attack Michael Dillon (Jan 12)
- Re: Huge smurf attack Steven J. Sobol (Jan 12)
- Message not available
- Re: Huge smurf attack Dalvenjah FoxFire (Jan 12)
- Re: Huge smurf attack Ray Everett-Church (Jan 12)
- Re: Huge smurf attack Brandon Ross (Jan 11)
- Re: Huge smurf attack Dalvenjah FoxFire (Jan 12)
- Message not available
- Re: Huge smurf attack Jay R. Ashworth (Jan 13)